Access Rules

Published: October 8, 2025

Last updated: March 10, 2026

Suggest an edit

Control user access to specific directories with allow/deny rules.

info

Access rules for shares apply based on the user that created the share.

warning

FileBrowser Quantum access rules differ entirely from the original FileBrowser. Rules do not carry over when migrating.

How Access Control Works

Rule Variables

User scope — The user must have the source in their scopes.
Deny/Allow — The default behavior is to allow user access, unless the source is configured with denyByDefault.
Access rules — Allow/deny rules for specific directories.

Rule evaluation

When a user accesses a file or directory:

Direct path check — Rules on the exact path are considered first.
Recursive parent check — Parent directories are checked up to the root.
Default behavior — Access is granted if no rule applies, unless denyByDefault is enabled.

Rule precedence

More specific paths override broader ones.

A rule on /folder/subfolder overrides a rule on /folder.
Allow rules take priority over deny rules when both apply.

Creating access rules

In the Web UI

Open User Management or Group Management.
Edit a user or group.
Select a source.
Open Access Rules.
Add allow or deny rules for the directories you need.

Source configuration

info

Using groups: OIDC, LDAP, and JWT authentication methods often map identity provider groups to FileBrowser Quantum groups. A typical pattern is to set the source to denyByDefault and then grant access with rules tied to those groups.

denyByDefault

Configure per source in your config:

YAML
1
2
3
4
5
server:
  sources:
    - path: "/data"
      config:
        denyByDefault: true  # Deny all unless explicitly allowed

With denyByDefault: true:

Users can see that the source exists.
There is no file access without explicit allow rules.
You must add allow rules for each path they should use.

Examples

Basic deny

Rule: Deny user graham access to /.

Result: graham cannot access any files or directories under that scope.

Allow a subfolder only

Rules:

Deny user graham access to /.
Allow user graham access to /subpath.

Result: graham can only access /subpath and its subdirectories.

Deny all with exceptions

Rules:

DenyAll on /vip.
Allow user admin access to /vip.

Result: Only admin can access /vip.

Departmental layout

Rules:

Allow group sales access to /departments/sales.
Allow group engineering access to /departments/engineering.
Deny all users access to /departments.

Result: Each department only reaches its own folder.

Rule types

Allow rules

Grant access to a path (read, write, execute, delete).

Deny rules

Explicitly deny access to a path.

DenyAll rules

Deny everyone for that path until a specific allow overrides it.

Troubleshooting

For common issues and fixes, see the Troubleshooting guide.

Access Control Overview

Troubleshooting

Access Rules

How Access Control Works link

Rule Variables link

Rule evaluation link

Rule precedence link

Creating access rules link

In the Web UI link

Source configuration link

denyByDefault link

Examples link

Basic deny link

Allow a subfolder only link

Deny all with exceptions link

Departmental layout link

Rule types link

Allow rules link

Deny rules link

DenyAll rules link

Troubleshooting link

How Access Control Works

Rule Variables

Rule evaluation

Rule precedence

Creating access rules

In the Web UI

Source configuration

denyByDefault

Examples

Basic deny

Allow a subfolder only

Deny all with exceptions

Departmental layout

Rule types

Allow rules

Deny rules

DenyAll rules

Troubleshooting