Add a section about common misconfigurations

admin_manual/configuration_files/files_access_control.rst

@@ -64,6 +64,30 @@ expression: ``/^application\/(zip|x-zip-compressed)$/i``
     .. figure:: images/files_access_control_block_mimetype.png
        :alt: Prevent upload based on mimetype
 
+Common misconfigurations
+------------------------
+
+Blocking user groups
+====================
+
+When trying to deny access to a group of users, make sure that sharing does not
+allow them to create a way back in. When users are able to create a public link,
+the users can log themselves out and visit their own public link to access the
+files. Since at this point they are no user and therefor no member of the
+blocked group, they will be able to read and change the file.
+
+The recommended work around is to create the same rule again, and deny access
+for all users that are ``not member of`` a group, that contains all users of
+your installation.
+
+External storage
+================
+
+While access to files in external storages is not possible via Nextcloud, users
+that have direct access to the external storage, can of course change files
+there directly. Therefor it is recommended to disable the ``Allow users to mount
+external storage`` option, when trying to to completely lock out users.
+
 .. _available-rules-label:
 
 Available rules