How do you structure access to data on your server(s)?
-
@MattSpeller said:
@scottalanmiller That is how it's currently setup. Each business unit flows down into it's departments, then departments break down into useful categories or sport(s), and only below that can staff create / manipulate data or folders. For a staff of ~100 we have 131 security groups!#!%#&%(!*&
That seems extreme. I would expect more like five or six! What is causing a need to lock things down with such granularity?
-
@scottalanmiller To be really honest I'd rather not go there publicly lol
I'm curious how y'all do it - see if I can learn from my present pickle. Right now users are pissed off and I'd like to suggest something useful to help cut the Gordian knot.
-
We mostly manage it by department. Legal gets one set, management another, "public" for everyone gets another, HR gets one, etc. It's rare that you need more than that on big shares.
-
@MattSpeller said:
How do you structure access to data on your server(s)?
We have a bizarre and arcane setup with NTFS permissions that run really really deep. It's well documented but actually using the thing is just an exercise in frustration. We have very little data that is sensitive (athlete performance / health info) and it's reasonably well segregated from the rest.
How do you do yours? Is there a guide for this to make it suck less? Best practices?
I'm tempted to suggest flattening all the permissions, grant R/W to all and secure only the sensitive bits.
Unfortunately @MattSpeller Security=sucks for convenience. If you want it to suckless you're gong to have to compromise security. If everyone is already restricted from going into other folders help me understand what's the problem. GPO should be able to help you detail how you want the permissions set up. Put quotas on certain folders. Forcing people to either delete what's not necessary or save on an external.
-
@scottalanmiller How do you handle the inevitable user in dept. A needs access to B's stuff?
-
@MattSpeller said:
@scottalanmiller How do you handle the inevitable user in dept. A needs access to B's stuff?
If user A needs access to department B, they should be a member of department B in that case. Use groups, not users, for all permissions except for home directories.
-
You can have groups like Legal and Legal_Read. One is the legal department and has full legal access. The second is readers that have read only access to legal stuff. That way it is simple, but tiered.
-
@MrWright4hire To visualize this a bit, imagine my current setup as a see-saw. Security is on the left, a 1000lb gorilla. Ease of use / users weigh in around 100lb on the right. I'm trying to find a bit more balance!
-
Or at least a balance that will prevent a lynch mob forming outside my door....
-
The long way around here is probably going to be your friend.
Document it all out and find the likely overlapping security groups and you should be able to find a lot of consolidation would be fairly easy to get approval for.
-
And explain to the powers that be that complicated security is not secure. The more complicated it gets, the less you are able to reliably secure it.
-
@MattSpeller said:
@MrWright4hire To visualize this a bit, imagine my current setup as a see-saw. Security is on the left, a 1000lb gorilla. Ease of use / users weigh in around 100lb on the right. I'm trying to find a bit more balance!
LMBO!!! The only thing I see balancing out the 1000lb gorilla...lol...is a weapon of a high caliber choice. Let's say....like a 50cal.
Well said @scottalanmiller.
-
@MattSpeller said:
@scottalanmiller How do you handle the inevitable user in dept. A needs access to B's stuff?
How about making a folder that only dept. A & B shares and leave it up to them to be discreet about what is shared?
-
@MrWright4hire To continue a terrible analogy lol yes I think that gorilla needs to be put on a diet as well.
Scott may have the best path for me to take; audit the groups, pair them down to skin and bones, present the remains to the powers that be and see what everyone thinks. I also think we can just ditch permissions (make all RO) for a ton of junk we keep around.
-
So what is the actual problem you're having today? People just don't want to have to ask for access? You're never going to get away from that unless you just remove all security.
131 groups for 100 employees - holy cow, the overlap has to be insane!
The listing like Scott said Department A, Department A readonly, Department B, Department B readonly, these sound like a great idea. If you have 10 departements there's no reason to need more than 10 groups (I would think).
I'm guessing something like the following happened user A wanted access to Department B's files, but Department B didn't want to give full access to all of Department B's files, so they created a new group and put the user in it.. and only gave that group access to the single file. Short of something like Sharepoint I don't know how else you'd solve this situation.
-
@Dashrender Bingo.
-
@Dashrender said:
So what is the actual problem you're having today? People just don't want to have to ask for access? You're never going to get away from that unless you just remove all security.
131 groups for 100 employees - holy cow, the overlap has to be insane!
The listing like Scott said Department A, Department A readonly, Department B, Department B readonly, these sound like a great idea. If you have 10 departements there's no reason to need more than 10 groups (I would think).
I'm guessing something like the following happened user A wanted access to Department B's files, but Department B didn't want to give full access to all of Department B's files, so they created a new group and put the user in it.. and only gave that group access to the single file. Short of something like Sharepoint I don't know how else you'd solve this situation.
You could use DFS for that particular folder and replicate it to another share that userA already had access to.
-
Although that really isn't any less work
-
@IRJ said:
@Dashrender said:
So what is the actual problem you're having today? People just don't want to have to ask for access? You're never going to get away from that unless you just remove all security.
131 groups for 100 employees - holy cow, the overlap has to be insane!
The listing like Scott said Department A, Department A readonly, Department B, Department B readonly, these sound like a great idea. If you have 10 departements there's no reason to need more than 10 groups (I would think).
I'm guessing something like the following happened user A wanted access to Department B's files, but Department B didn't want to give full access to all of Department B's files, so they created a new group and put the user in it.. and only gave that group access to the single file. Short of something like Sharepoint I don't know how else you'd solve this situation.
You could use DFS for that particular folder and replicate it to another share that userA already had access to.
Can you do DFS for a specific file, that's really the only time this matters. As Scott said, if UserA needs access to Deptment B in general, just add user to to Department B's groups, problem solved.
Also, will DFS set permissions that allow User A to read/write the file if they don't have that access in it's normal location? Boy I would hope not.
-
@Dashrender said:
@IRJ said:
@Dashrender said:
So what is the actual problem you're having today? People just don't want to have to ask for access? You're never going to get away from that unless you just remove all security.
131 groups for 100 employees - holy cow, the overlap has to be insane!
The listing like Scott said Department A, Department A readonly, Department B, Department B readonly, these sound like a great idea. If you have 10 departements there's no reason to need more than 10 groups (I would think).
I'm guessing something like the following happened user A wanted access to Department B's files, but Department B didn't want to give full access to all of Department B's files, so they created a new group and put the user in it.. and only gave that group access to the single file. Short of something like Sharepoint I don't know how else you'd solve this situation.
You could use DFS for that particular folder and replicate it to another share that userA already had access to.
Can you do DFS for a specific file, that's really the only time this matters. As Scott said, if UserA needs access to Deptment B in general, just add user to to Department B's groups, problem solved.
Also, will DFS set permissions that allow User A to read/write the file if they don't have that access in it's normal location? Boy I would hope not.
I don't think so
and no because you use robocopy /mir to transfer the files. You can set different permissions after the intial setup, though.