Model shared folder with different user permissions with Syncthing


I’m new to Syncthing, and I’m trying to move away from Samba file shares in favor of Syncthing for a small company (< 10 employees).

In the current setup there are 4 shared folders. 1 group of people needs access to all of the shared folders. 1 group of people must be restricted to access one of these folders only. 1 group needs access to two of these shared folders.

Every user needs needs R/W permissions to the folders they have access to. The clients are using Windows, the server is on Linux. Syncthing would be running inside a Docker container.

After studying the documentation of Syncthing and the forum, I have the impression that there are 2 possibilities to achieve that.

  1. Create one instance for each folder that needs to be shared. The users sync with multiple instances, depending on the shares they need to have access to.
  2. Create one instance for each user. Every user instance shares exactly the folders that they need access to.

I’m wondering, what would be the best method? If I’m going with option 2, that would mean that multiple Syncthing instances would access the same folder on the file system. Would that be a problem?

Looking forward to your advice.

Thanks, newpipe

I don’t think you need multiple instances. It’s unnecessarily complicated for your use case.

I think you simply need one instance on each machine. The Linux machine runs a single instance that shares 4 individual folders.

All employees each run a single instance that connects to the server. And each employee is only shared the specific folders they should have access to. Additionally the employees machines can all be connected with each other to smooth the fast distribution of changes.

Unless I’m misunderstanding, this is a fairly simple setup.

I was hoping that someone tells me that my goal could be achieved in a way less complex setup.

If I share all 4 folders within the same instance. How would I make sure, that people that shouldn’t have access to a specific folder, aren’t able to access this folder? Aren’t people able to subscribe to all folders that are shared within one device? Or can I control that from the server?

Both sides have to accept the share request. The only other security risk is that one of the other employees can share the folder with unauthorized users but having separate instances for each folder doesn’t really solve that problem either. In the end you need to trust the employees that have access to an individual share that they don’t share that folder with a coworker.

If you dont have that trust you probably need a different solution.

In fact, there’s really no technological solution to untrusted users with access to data. They can take anything they have and share it with whoever they can think of. Once the data is in someone’s hands, it’s their decision what to do with it the only solution I see here is to have trustworthy employees or none at all.

Back to the Syncthing question: You can pick on the server (actually on any device) with which other devices you want to share which folder. As long as you keep the circle of people with access to the server’s Syncthing GUI small, there should be no management problem.

We’ve been running such a setup for years and the only real nuisance is to update the direct connections between employees’ devices when a new one is added or one is replaced.

1 Like

Does the introducer bit not solve this problem?

Yes, if you actually want all devices interconnected. I’d like to keep some user choice in that. Which is incidentally just the reason why I started contributing to Syncthing, however the work wasn’t finished (yet). It was a feature to show a list of suggested / missing links instead of adding them automatically.

1 Like

Gotcha. I’m curious about the case where you don’t want two devices that both have access to the same folder to be able to reach each other to help changes propagate faster. Anyway not that important but curious about the use case.

Main use case is a second backup server that shares many folders with the main server, but we don’t want connections to it from every client. Or possibly some devices with reduced connectivity or bandwidth that are okay to sync with others when on the company network, but should not try connecting to any other devices roaming around and possibly serving blocks to them. These two I had in mind, but the general idea is to not limit choice to all or nothing, but instead visualize the missing links and let the user still actively declare who to trust, just more easily.

One more case I’d add is a mobile device. I don’t want my phone or a laptop to maintain active connections and sync files with 15 different devices while running low on battery. Also, it may be a good idea to keep remote devices at minimum when the hardware is very slow.

1 Like

Thanks for the comments. Good points. (I had no doubt you guys had good points.)

I just wanted to provide a short status update.

Iloved to follow your conversation here. It helped me to understand some aspects of Syncthing. In the meantime I rolled out Syncthing in this small company like suggested in this thread. I started the roll-out with only one user and it was working very well. Yesterday I added a second user. The second user experiences some hickups, that I will describe in a separate topic. It is related to some files starting with “~$” not being synchronized.


I think you simply need one instance on each machine. The Linux machine runs a single instance that shares 4 individual folders.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.