How do you structure access to data on your server(s)?
-
The long way around here is probably going to be your friend.
Document it all out and find the likely overlapping security groups and you should be able to find a lot of consolidation would be fairly easy to get approval for.
-
And explain to the powers that be that complicated security is not secure. The more complicated it gets, the less you are able to reliably secure it.
-
@MattSpeller said:
@MrWright4hire To visualize this a bit, imagine my current setup as a see-saw. Security is on the left, a 1000lb gorilla. Ease of use / users weigh in around 100lb on the right. I'm trying to find a bit more balance!
LMBO!!! The only thing I see balancing out the 1000lb gorilla...lol...is a weapon of a high caliber choice. Let's say....like a 50cal.
Well said @scottalanmiller.
-
@MattSpeller said:
@scottalanmiller How do you handle the inevitable user in dept. A needs access to B's stuff?
How about making a folder that only dept. A & B shares and leave it up to them to be discreet about what is shared?
-
@MrWright4hire To continue a terrible analogy lol yes I think that gorilla needs to be put on a diet as well.
Scott may have the best path for me to take; audit the groups, pair them down to skin and bones, present the remains to the powers that be and see what everyone thinks. I also think we can just ditch permissions (make all RO) for a ton of junk we keep around.
-
So what is the actual problem you're having today? People just don't want to have to ask for access? You're never going to get away from that unless you just remove all security.
131 groups for 100 employees - holy cow, the overlap has to be insane!
The listing like Scott said Department A, Department A readonly, Department B, Department B readonly, these sound like a great idea. If you have 10 departements there's no reason to need more than 10 groups (I would think).
I'm guessing something like the following happened user A wanted access to Department B's files, but Department B didn't want to give full access to all of Department B's files, so they created a new group and put the user in it.. and only gave that group access to the single file. Short of something like Sharepoint I don't know how else you'd solve this situation.
-
@Dashrender Bingo.
-
@Dashrender said:
So what is the actual problem you're having today? People just don't want to have to ask for access? You're never going to get away from that unless you just remove all security.
131 groups for 100 employees - holy cow, the overlap has to be insane!
The listing like Scott said Department A, Department A readonly, Department B, Department B readonly, these sound like a great idea. If you have 10 departements there's no reason to need more than 10 groups (I would think).
I'm guessing something like the following happened user A wanted access to Department B's files, but Department B didn't want to give full access to all of Department B's files, so they created a new group and put the user in it.. and only gave that group access to the single file. Short of something like Sharepoint I don't know how else you'd solve this situation.
You could use DFS for that particular folder and replicate it to another share that userA already had access to.
-
Although that really isn't any less work
-
@IRJ said:
@Dashrender said:
So what is the actual problem you're having today? People just don't want to have to ask for access? You're never going to get away from that unless you just remove all security.
131 groups for 100 employees - holy cow, the overlap has to be insane!
The listing like Scott said Department A, Department A readonly, Department B, Department B readonly, these sound like a great idea. If you have 10 departements there's no reason to need more than 10 groups (I would think).
I'm guessing something like the following happened user A wanted access to Department B's files, but Department B didn't want to give full access to all of Department B's files, so they created a new group and put the user in it.. and only gave that group access to the single file. Short of something like Sharepoint I don't know how else you'd solve this situation.
You could use DFS for that particular folder and replicate it to another share that userA already had access to.
Can you do DFS for a specific file, that's really the only time this matters. As Scott said, if UserA needs access to Deptment B in general, just add user to to Department B's groups, problem solved.
Also, will DFS set permissions that allow User A to read/write the file if they don't have that access in it's normal location? Boy I would hope not.
-
@Dashrender said:
@IRJ said:
@Dashrender said:
So what is the actual problem you're having today? People just don't want to have to ask for access? You're never going to get away from that unless you just remove all security.
131 groups for 100 employees - holy cow, the overlap has to be insane!
The listing like Scott said Department A, Department A readonly, Department B, Department B readonly, these sound like a great idea. If you have 10 departements there's no reason to need more than 10 groups (I would think).
I'm guessing something like the following happened user A wanted access to Department B's files, but Department B didn't want to give full access to all of Department B's files, so they created a new group and put the user in it.. and only gave that group access to the single file. Short of something like Sharepoint I don't know how else you'd solve this situation.
You could use DFS for that particular folder and replicate it to another share that userA already had access to.
Can you do DFS for a specific file, that's really the only time this matters. As Scott said, if UserA needs access to Deptment B in general, just add user to to Department B's groups, problem solved.
Also, will DFS set permissions that allow User A to read/write the file if they don't have that access in it's normal location? Boy I would hope not.
I don't think so
and no because you use robocopy /mir to transfer the files. You can set different permissions after the intial setup, though.
-
soooo you're talking about robocopy instead of DFS?
I don't believe the file in my question to be static.. it needs to be changeable by all parties.
-
IS the data in question used by the entire department A and the guy in dept B is the only one that needs it? I am agreeing with everyone above. A flatter segregation of data might be a better post. maybe break this specific data out of dept A and into another share that is an A/B share (IE: M Drive - Marketing Data) Then use a group for it. Then you can roll users in and out of the group as needed. Deploy it with group policy. With that many shares your mapping has to be a nightmare. Well documented or not. Not to mention you probably get one group asking another group if they have the Z drive. Oh you do - just look in the Z drive then - even though Z for the two depts may be completely different.
-
@MattSpeller said:
@Dashrender Bingo.
I missed this yesterday - Considering that the out of department user only needs (and will only be granted) access to the single file - creating a group seems like overkill. Sure it's the right thing to do, but if you have 20-50 groups that only have one person in it, is it really worth while?
Maybe Sharepoint is exactly what you need to solve this problem. Granted access to singular files across folders you otherwise don't have access to.
I recently discovered that a user could search a server drive and the results would show them files inside folders they didn't have permissions to, but the files themselves were granted 'Users:R/W' They were shown the files because they were in the index of the file server, search wasn't actually trolling through the structure, just the index. This ended up being a bad thing, people were able to access other people's reviews. To solve the problem I had to remove 'Users:R/W' from the files in question and limit it to the same permissions as the folders themselves. But this is all off topic... so nevermind I guess
-
SharePoint is very nice for letting users manage the users on their own files. Although users managing their own can be bad, that's how you get unauditable permissions sprawl.
-
@scottalanmiller said:
SharePoint is very nice for letting users manage the users on their own files. Although users managing their own can be bad, that's how you get unauditable permissions sprawl.
Users can do that on Windows too, though they might not be able to remove the baseline permissions depending on settings.
-
@Dashrender true, but there is something more user friendly about the Sharepoint approach.
-
Users are getting used to how tools like OneDrive and Sharepoint work via the sharing and manual permissions systems because of tools like Dropbox being so common for home users.
-
@Dashrender said:
soooo you're talking about robocopy instead of DFS?
I don't believe the file in my question to be static.. it needs to be changeable by all parties.
Micrsoft recommends during a robocopy before you turn on DFS. That way there isnt files replicating like crazy when you first turn it on. There will only be a few files which need to be updated.
-
@scottalanmiller said:
@Dashrender true, but there is something more user friendly about the Sharepoint approach.
I think his best solution lies somewhere in something like Sharepoint, or Sharepoint.. Clearly the windows approach is not working well when he has 130 groups for only 100 users. I think I would have given up on the group thing long ago for single file access like this problem presents.