Write only access rights

In my workflow I have few MFP devices which can output their files to truenas SMB share.

This devices have their own account and I would like to limit access rights of this devices so that they can only write new files and can not access already existing ones. Is that possible?

I guess it should be possible - my thinking is that MFP should be able to traverse directory structure to output folder, be able to list all of the files in directory (likely to check if there is existing filename) and then write new file.

I have played a little with advanced file access rights but could not nail the combination.

On the dataset or folder, give the user permission for:

  • “Read data” (in order to list directory contents)
  • “Write data” (create files)
  • “Execute” (for traversal).
  • “Read ACL” (SMB requires this, not sure why)

DISABLE inheritance for this entry selecting “No inherit”.

Remove any @owner/@group ACL entries.

You might try setting up a share with similar permissions to an FTP incoming folder, e.g. chmod a+wx,g+s /path/to/incoming and rely on the setgid bit to allow some administrative group to manage the files uploaded there. SMB permissions can’t exceed the standard file/directory permissions, so this would give you a write-only directly where the uploaded files can’t be read.

If you don’t care that the uploaded files can be read, TrueNAS also has a nice “SMB WORM” ACL setup that turns all files accessed via the share read-only after a timeout period (5 minutes by default). That’s perhaps more open than you want, but it can be awfully useful if your goal is just to keep people from accidentally modifying ISO images or other things that should “automagically” become read-only.