New-ish to ZFS, Newer to TrueNAS: Advice for Pool Organization with Group-Based Permissions?

Hello,

I joined and was just getting into posting more when the forum switch-over happened, and then I got distracted by real life, but I’m happy to be here, finally. :slight_smile:

tl;dr I’m switching from an ext4-based QNAP to a TrueNAS SCALE server and have some questions about best practices for organizing datasets when access permissions are going to be based on custom groups.

(Apologies for the longish post. I’m still new to TrueNAS and not sure how much context I need to provide about what I’m trying to do.)

I’ve been a Proxmox user for a while, so I’ve been exposed to ZFS through managing local ZFS-based storage on my Proxmox nodes. I’m reasonably comfortable doing relatively simple things (compared to what I read about a lot of y’all doing) and have gone through a couple of TrueNAS setup tutorial video series.

I’m pretty comfortable with using the software (at least at the beginner level), but want to make sure I have a good understanding of dataset organization before I start trying to set them up and migrate data off the QNAP.

From the videos I’ve watched and articles I’ve read, setting permissions based on groups (particularly via ACL) seems to be the favored technique, so I’ve decided to go with that. One thing I’ve seen mentioned repeatedly is that in the case of nested datasets, using different permissions between parents and children is really asking for trouble, and should be avoided unless you’ve got a very, very good reason.

Intuitively, that makes sense, but it does leave me a bit confused about how to do certain things practically.

For example, I have a small Proxmox cluster. It makes sense to create a proxmox group and assign permissions as needed to users who live there, and have those permissions be the same for any nested datasets (ISOs, VM storage, LXC storage, etc.), especially as Proxmox handles network shares at the cluster level, so I’d most likely need only one user in the group.

On the other hand, I’d also like to set up some basic SMB/NFS file shares for human users (e.g., Peter, Paul, Mary, and ShareAdmin who can r/w everything) who just need a shared folder to put stuff in, and this is where my intuition and understanding is failing me. At first, it made sense to me to try to avoid flattening my dataset structure, and have a parent “UserShares”* dataset with master settings for things like recordsize, etc., with child datasets for Peter, Paul, and Mary.

But Peter, Paul, and Mary would all need r/w access to their own datasets (via shares) underneath UserShares, and no access at all to anyone else’s datasets.

But since apparently best-practice is not to modify the permissions/ownership of UserShares child datasets, I find myself a bit stuck on what to do here.

I feel like I’m either misunderstanding what I read as best-practice, or I’m missing something obvious. This also feels like something that will make a lot more sense once I’ve seen an example and done it once or twice.

  • I know I could simplify things at the TrueNAS level by using an intermediary app like NextCloud, but I don’t require that level of abstraction or additional complication yet.

I’d really appreciate any advice. Thanks for reading. :slight_smile: