Company Group Share recommendations

Hi there,

in the past with our Seafile CE installation we had 1 user called “Company” that was at the same time the Admin.
This user had several libraries that were shared with Company Employees.

Now with Groups and Departments in Seafile PRO we think it is better to do this with Group Sharing.
If I’m not mistaken, Group Shares still have a defined owner for the Libraries whereas Libraries in Departments “belong” to the Department Name (no Owner transfer necessary if something changes)

Because we want to restrict access to certain Libraries within a Department, we would add just the users to the department that have full access to all Libraries and then share the libraries to the remaining users with regular share.

This has the advantage that we do not need a Company Admin as in the past (get 1 license more for users) and simply select 1 regular user as admin - because the Department and its Libraries do not belong to a user.
Also it makes owner changes obsolete if we do it the way we did in the past.

What is your recommendation on Group / Department sharing / access for such a scenario?
Are there even more elegant solutions?

cheers,
Adrian

Don’t be shy - share your experience, best practice - if you have any

In the meantime we found out that Department Libraries offer less flexibility as user owned shares.
It seems that you can not clean the trash (only growing) and also some other features that user owned Libraries offer are not available in Department Libraries.

The user manual does not seem to be very precise on this topic.
What is your experience?

Hi Adrian,

could you put together a list of things that make department-owned libraries less flexible than user-owned libraries? This would be very interesting and should be either be documented or - better - fixed.

In fact, I considered user- and library-owned libraries pretty much equivalent. The only one thing I was truely missing was the option to transfer user-owned libraries to a department and a department-owned one to a user.

This said, I just checked: You are right. The system throws a permission-denied error when trying to empty the trash in a department-owned library. While playing around with it, I also came to realize that you cannot restore an entire library from a snapshot. You can only restore individual items from a snapshot.

Hi,

We are using seafile Pro in the same context as yours and will switch to Group syncing in the next time, on a Seafile Pro 7.0x basis

Department syncing and management is limited to Ou’s in LDAP structure, wich is quite limitating.
With Group Syncing, you get more flexiblity because you can use different ObjectClass for Group syncing.
I hope Seafile 7.0x will includ GROUP FILTER as i already asked the devs for.

If you SYNC GROUPS as DEPARTMENTS, you can create a default library with anonymous owner, wich looks to be you goal.

Please note that you don’t need to SYNC USERS to use SYNC GROUPS feature.

Enabling LDAP authentifcation is just what you need : any user that log into seafile will have its account created, its group(s) and default libraries.

Thank you for starting this discussion. I also think that sharing experience on seafile management is usefull.

regards

@rdb

The thing I noticed is related to the File History, Trash and Transfer

1.) you can not transfer to Department Shares (or back to user)
This might be handy if you already have a Library with lots of stuff and would like to convert (transfer) to a Department (or back if you don’t use the Department anymore)

2.) History Settings are not available for Department Libraries - probably related to 3.) below

image.png831×120 3.42 KB

Comparison User Library

image.png880×148 4.04 KB

3.) Data in the Trash of a Department Library can not be Cleaned - the Trash will only grow.
Maybe this is on purpose, but at some point you might want to clean up space

I think that’s it - maybe you find other differences too?

In general these features are nice and I assume they come from Universities. The current implementation does not look “general” for Enterprise but rather something that is named and structured for Seafile main Customers (Universities) I assume.

Remark: if you make lots of configurations (read-write / read-only Folders, Sharing of Libraries, Sharing us Folders) it might get quite complicated for a Sysadmin to check in a Overview (Report) what is shared/configured. Maybe this is possible to see somewhere?
Currently we keep track of this configuration separately…

Good to see a discussion on this matter as there are many possible ways on how to use Seafile and it’s hard to find best practices or recommendations.

Hi,

I can confirm with 7.01 Pro the following limitations

For 3), the feature is available but leads to a deny permission error

I would suggest to @daniel.pan if possible that :

1.) Department user may ba available to an admin if he wants to transfer library into a department
2.) History Settings for Department Libraries may be available or at least set by default in a setting
3.) Data in the Trash of a Department Library should be Cleaned at least by and admin or a GC feature

I also noticed that libraries created during Department SYNC can not be deleted by the admin in the Admin library list. They are not deleted neither by SYNC process when the DEPT is not in the LDAP anymore. How could we fix that ?

Regards

You can also consider adding sub-departments for better isolation of different data. The design of departments and department-owned libraries are to provide shared storage space for departments (either in Enterprise or Universities). The libraries in the shared space are “shared” to all department members by definition. So if you want some libraries to only be visible to some users, you may either directly share to them or create a sub-department for them.

What would be your suggestions to make these features more general?

Hi Jonathan,

what we tested (but finally dropped) was to create a department with only me as admin.
Then we shared libraries within this department “the old way”, sometimes read-write, sometimes read-only.
This is what you explained above and is a workaround to share read-only libraries from a department.
The disadvantage in this were:

• no history settings for the libraries
• no clean of trash possible
• no transfer if we later must change it.
  Also the nice feature of having the users and libraries listed on 1 page (in the department overview) was lost and there is no clear overview with whom you have shared and with whom not.
  So we simply created libraries under my name and I share them with others.

What we also discovered is that if you remove a library from a Department (maybe by mistake) and you Restore it, it will say that it is belonging again to department “X” but it is not listed in this department.
We did not find a way to re-integrate a restored library in a department.

For enterprise you would have to explain clearly in the manual what you mean by “Department”, etc.
The term “Department” might mean different things for Universities and Corporations so people might not understand right away what it is all about and what the impacts are.
I was more of a trial-and-error process for us to find out what this feature does, how it works and what the limitations are.

In general I think it is a good idea but very much related to your main customers and after having trouble with it, we simply dropped it and don’t use it at all.

What we also tested was setting “read-only” attribute on a subfolder.
In our case the default admin of Seafile is me, as a regular user.
The reason for this is that we exactly need 9 licenses and thus can not afford an extra administrator.
I then restricted some subfolders to “read-only” also for me (the admin) and it worked.
But I was unable to remove this attribute from the subfolder and I was stuck.

I’d have expected that I would not be able to remove this folder and/or create modify content in it but still be able to set back the attribute to read-write.
It was not possible - I was stuck.

So finally I just have full access of all libraries and share them with others.
No department, no groups
It was just too complicated for a small company - I’d love to use the group/department feature, but not now.
Maybe if later on I can transfer to departments, we’ll consider, but for now it’s just easier “the old way”

I know how hard it is to come up with a concept that works for many customers (we do software ourselves).
In your case I recommend to make a document that explains what is behind the department feature and explain in an example how it works, what limitations are to be expected, etc.

I spent about a full day playing with it and finally concluded that it was not worth the effort for our size.
So I guess some documentation would help others.

Keep up the good work

This is also the case if the Admin deletes it from the Admin WEB UI Department view and restores it from the Admin WEB UI Library Trash.
@Jonathan I think it’s a bug, isn’t it ?

I also think Departments Admins may have the right to clean the trash
Could you elevate Rights for Department admins ? I suppose they can not be owners of the Libraries shared to the Departement (only X user is), but could they have Administration rights on these libraries ?

As departments can be Synced from Ou’s in LDAP, a generic term could be “Unit”.

What about these suggestions, @Jonathan ?

Transfer a library from a user to department will be available in v7.0.2.

2.) History Settings for Department Libraries may be available or at least set by default in a setting
3.) Data in the Trash of a Department Library should be Cleaned at least by and admin or a GC feature

We will check the two features.

Hi @adrianriedo

Most of the issues you had are bugs. We’ll fix them.

You should be able to. What’s the phenomenon for this issue?