A Way to have multiple “Views” (permissions) to the same directory data
Data analysis, Data warehousing applications, Desktops, E-business, Management, Microsoft Windows, OS, Patch management, Security, Servers, SQL Server, Storage, Storage management, Storage products and equipment
Basically, we would like to reorganize our data repository (right now just a hierarchical directory structure) in such a way that we can present fully permissions ?views? to various levels within our company.
So if I have a directory structure something like the following:
-----------
|
| - Customer
| | - Proposals
| | - Financials
| | - Costs
| | - Contracts
| | - General Docs
| | - Development
|
| - Customer-2
| - Proposals
| - Financials
| - Costs
| - Contracts
| - General Docs
| - Development
ETC.
I would be looking for something that would allow me to have ?views? into this data structure such that I for example I could give the Accounting department access to all of the ?financial? directories, our legal/contracts department would have access to all of the ?contracts? folders, the Project Managers (PMs) would have access to their respective ?customer? directories (respective being the operative word) BUT NOT to the more sensitive information like that in the sub-folders such as ?costs?? because it could contain information like salaries.
I know I can implement this with normal directory permissions and group assignments, but the organization that we are expecting to implement would make the number of groups and permission settings to manage extremely large and complex. I am obviously hoping that I can do something like this without needing to implement some overly complex or expensive application and was hoping that someone might be able to point me in the right direction.
Thanks,
Mike
Software/Hardware used:
Software/Hardware used:
ASKED:
September 6, 2005 11:51 AM
UPDATED:
September 8, 2005 8:25 AM
Answer Wiki:
Sounds to me like you could benefit from WinFS - once (and if?) it is finished. In the mean time, pretty much all you are left with, since you want to use NTFS disk space directory structure, is using groups and group nesting to ease the administration burden.
I recommend you listen to MS best practices:
- define roles that your users should have when accessing data, one for each kind of access
- define resources (in your case directories) that must be accessed by each role
- create groups (usually global) for user roles, assign users to groups
- create groups (usually local) for role resources, assign rights to resources (directories)
- nest groups (usually make global group member of the local gorup) to give users appropriate permissions
This approach also facilitates better security, and it also scales well when being used accross complex AD trees and in environments with a great number of users or resources.
Kinds of groups that you will use (universal, global, domain local, machine local) depend on the functional level of your domain, as well as your needs. In any case, consult some AD literature for those details, just to be sure.
Hope this helps a little, but then again, maybe you knew this all along, sorry if I stated the obvious.
- Dubravko
To see all answers submitted to the Answer Wiki: View Answer History.
Sounds to me like you could benefit from WinFS – once (and if?) it is finished. In the mean time, pretty much all you are left with, since you want to use NTFS disk space directory structure, is using groups and group nesting to ease the administration burden.
I recommend you listen to MS best practices:
- define roles that your users should have when accessing data, one for each kind of access
- define resources (in your case directories) that must be accessed by each role
- create groups (usually global) for user roles, assign users to groups
- create groups (usually local) for role resources, assign rights to resources (directories)
- nest groups (usually make global group member of the local gorup) to give users appropriate permissions
This approach also facilitates better security, and it also scales well when being used accross complex AD trees and in environments with a great number of users or resources.
Kinds of groups that you will use (universal, global, domain local, machine local) depend on the functional level of your domain, as well as your needs. In any case, consult some AD literature for those details, just to be sure.
Hope this helps a little, but then again, maybe you knew this all along, sorry if I stated the obvious.
- Dubravko
You may want to investigate “document management systems”. They are typically designed to provide the exact type of organization/access that you describe.