Users & Groups

users

The Users & Groups page provides permission management controls for local and external users.

Whether using Share level or Folder / File level permissions (see Advanced page), managing permissions by groups is recommended.

Groups may be local to EVO and/or external via AD/LDAP. External users can also be added to local groups.

Share permissions may be added to Groups, or group permissions may be added to Shares.

Local Groups

local groups

Search by group name - Enter a full or partial search to retrieve any matches. For instance, searching a single letter will return all names that contain that letter.

EVO includes two local groups by default: Administrators and Editors.

Users in the Administrators group have access to all shares without additional permission application, and are displayed in green text to distinguish them from standard users.

Note

Users in the Administrators group have full control for content on all shares.

The default Editors group is suggested for simple permission control, and any number of additional local groups may be created by clicking CREATE GROUP.

Create Group - Enter a Group name (only Latin letters, digits, underscores, hyphens and dots are allowed) and optionally check “Create multiple” to keep the modal open for subsequent operations.

create group example groups

Select a local group to show the available operations.

local group options

DELETE - Remove a local group, unless it’s the only group assigned to any existing users or is otherwise required for a service.

EDIT MEMBERS - Select local or external users and start typing and/or use the dropdown menu to select an existing user, or click CREATE USER to create and immediately add the user(s) to the group.

edit members create user

ASSIGN SMB SHARES - Assign share permissions for the selected group. Note that the options differ depending on the permission mode used by EVO.

Assign SMB Shares

In the default Share level permission mode, the available options are Read/Write and Read Only.

Editor group permissions

In Folder / File level permission mode, the available options are Read/Write, Read Only, and Custom (granular ACL permissions).

Editor group permissions

Users added to a group automatically inherit the group permissions for any share to which the group is assigned.

Warning

Take care when assigning users to the “Administrators” group, as they have full visibility/control of all share content, irrespective of assigned permissions.

Local Users

local users

Search by username - Enter a full or partial search to retrieve any matches. For instance, searching a single letter will return all names that contain that letter.

Create User - Select at least one local group to which the user will belong, and enter the user name (only Latin letters, digits, underscores, hyphens and dots are allowed) and password, and optionally check “Create multiple” to keep the modal open for subsequent operations.

create user

Note

Users must belong to at least one group.

local user options

Once local users exist, select the user(s) to see the available operations.

DELETE - Remove an existing user.

RESET PASSWORD - Enter and confirm a new user password.

EDIT USER’S GROUPS - Type or use the dropdown menu to select groups, and/or click the trash icon to remove a group assignment. Optionally click CREATE GROUP if a new group is needed.

edit user's groups

ADD TO GROUP - Select one or multiple users to add to an existing group.

add users to group

External Groups

EVO can join to Active Directory or another LDAP server via samba schema.

external groups external group options

Search by group name - Enter a full or partial search to retrieve any matches. For instance, searching a single letter will return all names that contain that letter.

Note

Once connected, searching for a user may require the domain name to be included with their name, especially if multiple domains are available.

Once external groups exist, select one to see the available operations.

LIST MEMBERS - Click to display all members of the selected external group

external group members

ASSIGN SMB SHARES - Assign share permissions for the selected group. Note that the options differ depending on the permission mode used by EVO.

In the default Share level permission mode, the available options are Read/Write and Read Only.

Editor group permissions in share level mode

In Folder / File level permission mode, the available options are Read/Write, Read Only, and Custom (granular ACL permissions).

Editor group permissions folder/file level mode

For either directory service option, keep the following considerations in mind:

  • EVO can use either Active Directory or another LDAP service, but not both simultaneously.

  • Names of users and groups must contain only Latin letters and digits and must be shorter than 32 characters. Dots, dashes, and underscores are allowed, but names with spaces and other special characters will not be imported.

  • A conflict with EVO’s internal root user may be created if the directory also has a user named “root”.

  • EVO must be pointed at a DNS provider that can resolve the directory server’s hostname. DNS is configured at the Network page in the EVO web interface.

  • The EVO clock must be in agreement with the directory server’s clock. Time is found on the Home page by default, and at Time Settings. Use the Ping Test at the Network page to ensure expected communication with gateway and DNS resolver(s).

  • When mounting EVO NAS shares in an Active Directory environment, authentication for non-AD EVO users (local users) will require instruction that the AD domain not be used. Prepending “evo” to the username in the workstation’s mount prompt (example “evoeditor1”) will tell the workstation to use the evo domain, rather than the local domain. If an alternate domain is not specified, the workstation may attempt the default domain, in which case EVO will expect the domain user rather than a local one.

Click the AD/LDAP button to connect to the external user management system.

Active Directory

Active Directory

Enable AD toggles the connection to the AD Server on/off

Status displays current AD connection status

Domain - Specify the domain name (ensure this is resolvable by DNS)

User - Enter the name of an AD user. By default, any AD user that’s created is a member of the “Domain Users” group, which allows the user to create a computer object for EVO and authorize its connection. If the user account cannot create a computer object for EVO in AD, the computer object and delegate control can be manually added by the AD administrator.

Password - Enter the AD user password

Enable support for trusted domains - when enabled, allows EVO to join to a child domain that presents objects from parent (requires enabling of the “Global Catalog” option in NTDS Settings Properties on the AD server).

Active Directory

Tip

A service account with restricted permissions is recommended over a default account that may be subject to user password rotation. See this KB article for more information: https://support.studionetworksolutions.com/hc/en-us/articles/38165653556628-Manually-joining-EVO-to-Active-Directory

LDAP

LDAP

Enable AD toggles the connection to the LDAP Server on/off

Status displays current LDAP connection status

Host - Enter the host name:port for the LDAP server

Base DN - Enter the string provided by the LDAP server (o=%SECRET%,dc=%DOMAINCOMPONENT%,dc=com)

Encryption - Choose None, SSL, or TLS - certificates are imported at the System > Advanced page using the Certificate authority card

Samba mode - Samba.schema is required for SMB authentication

Samba SID - Unique security identifier for EVO (note the string is longer than the field, so ensure it’s all copied when connecting)

Bind DN - Enter the LDAP distinguished name (uid=%BIND DN USER%,ou=Users,o=%SECRET%,dc=%DOMAINCOMPONENT%,dc=com)

Bind Password - %BIND DN USER PASSWORD%

LDAP user suffix - Default is common name “cn=users”

LDAP group suffix - Default is common name “cn=groups”

LDAP certificate authority - Upload the G2 root certificate if required by the LDAP server

External Users

external users

Search by username - Enter a full or partial search to retrieve any matches. For instance, searching a single letter will return all names that contain that letter.

external user options

Once external users are located, select a user to see the available operations.

list user's groups

LiST GROUPS - Displays all external groups reported by the AD/LDAP server to which the user belongs.

add external user to local group

ADD TO GROUP - Select to add an external user to a local group