This post is donation-ware. If it did help you, please consider leaving a comment or even buying me a coffee. I will be eternally grateful.
Primary objective
Create a service account to run a service on your Synology NAS.
Secondary objective(s)
When you create a service account, you improve the system’s safety and the service’s stability.
Background
Some services on your NAS, typically backup services, need a user account to log in to the destination NAS.
Although it is widespread to use an account of one of the users, it is preferred to tailor a dedicated user account for the task: a service account.
A service account starts as a regular account but with several restrictions and limited permissions necessary for the task. This improves the safety of your system and the stability of the service.
| Service | Account Name | User Group | Folder Permissions | Application Permissions | Quota |
| Hyper Backup Vault | hb-vault-user | users | r/w to the backup folder | Hyper Backup Vault | no |
| Hyper Backup – rsync / rsync (single version) | hb-rsync-user | users | r/w to the backup folder | rsync | no |
| Shared Folder Sync | sfs-user | administrators | n/a | rsync | n/a |
| Synology Drive ShareSync | sdss-user | administrators | n/a | n/a | |
| Time Machine backup (macOS) | tm-user | users | r/w to the backup folder | yes |
If you have multiple Apple Mac computers, create a tm-computer-name-user account for each computer and assign a quota to each service account. Please reference the tutorial on how to set up Time Machine backup on your Synology NAS.
For help creating user accounts, please reference Better User Management.
Actions
Before we get into action to create a service account, let’s determine a few assumptions first.
- If a service needs a shared folder on the NAS, create that shared folder before you make the service account.
- If a service needs an account with administrator privileges, apply step 4 and skip step 5.
- If a service does not need a user quota, skip step 6. Note that The Assign user quota screen differs for Ext4 and Btrfs volumes.
There are nine steps in the procedure. The steps apply to DSM7.
- Log in to DSM with administrative privileges
- Open Control Panel, User & Group, User tab, and click on the Create button
- in the Enter user information screen, fill in name, description, and password; enable Disallow the user to change account password; click Next
- optional: in the Join groups screen, depending on the service you create an account for, enable the administrators group; click Next
- optional: in the Assign shared folder permissions, depending on the service you create an account for, enable Read/Write permissions for the shared folder; click Next
- optional: in the Assign user quota screen, assign a user quota to the volume (Ext4) or the shared folder (Btrfs); click Next
- in the Assign application permissions screen, deny permissions for all services except for the required permission; click Next
- in the User speed limit screen, click Next
- in the Confirm settings screen, review your settings and click Done
Congrats, you just learned how to create a service account and achieved the primary and secondary objectives.
Thanks for reading
This post is donation-ware, and I made it to help you. Please consider leaving a comment or even buying me a coffee if it did. I will be eternally grateful.
Paul Steunebrink / Storage Alchemist