A Way to have multiple “Views” (permissions) to the same directory data

pts.
Tags:
Data analysis
Data warehousing applications
E-business
Management
Microsoft Windows
OS
Patch management
Security
Servers
SQL Server
Storage
Storage management
Basically, we would like to reorganize our data repository (right now just a hierarchical directory structure) in such a way that we can present fully permissions ?views? to various levels within our company. So if I have a directory structure something like the following: ----------- | | - Customer | | - Proposals | | - Financials | | - Costs | | - Contracts | | - General Docs | | - Development | | - Customer-2 | - Proposals | - Financials | - Costs | - Contracts | - General Docs | - Development ETC. I would be looking for something that would allow me to have ?views? into this data structure such that I for example I could give the Accounting department access to all of the ?financial? directories, our legal/contracts department would have access to all of the ?contracts? folders, the Project Managers (PMs) would have access to their respective ?customer? directories (respective being the operative word) BUT NOT to the more sensitive information like that in the sub-folders such as ?costs?? because it could contain information like salaries. I know I can implement this with normal directory permissions and group assignments, but the organization that we are expecting to implement would make the number of groups and permission settings to manage extremely large and complex. I am obviously hoping that I can do something like this without needing to implement some overly complex or expensive application and was hoping that someone might be able to point me in the right direction. Thanks, Mike

Answer Wiki

Thanks. We'll let you know when a new response is added.

Sounds to me like you could benefit from WinFS – once (and if?) it is finished. In the mean time, pretty much all you are left with, since you want to use NTFS disk space directory structure, is using groups and group nesting to ease the administration burden.

I recommend you listen to MS best practices:
- define roles that your users should have when accessing data, one for each kind of access
- define resources (in your case directories) that must be accessed by each role
- create groups (usually global) for user roles, assign users to groups
- create groups (usually local) for role resources, assign rights to resources (directories)
- nest groups (usually make global group member of the local gorup) to give users appropriate permissions

This approach also facilitates better security, and it also scales well when being used accross complex AD trees and in environments with a great number of users or resources.

Kinds of groups that you will use (universal, global, domain local, machine local) depend on the functional level of your domain, as well as your needs. In any case, consult some AD literature for those details, just to be sure.

Hope this helps a little, but then again, maybe you knew this all along, sorry if I stated the obvious.

- Dubravko

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Dubravko
    Sounds to me like you could benefit from WinFS - once (and if?) it is finished. In the mean time, pretty much all you are left with, since you want to use NTFS disk space directory structure, is using groups and group nesting to ease the administration burden. I recommend you listen to MS best practices: - define roles that your users should have when accessing data, one for each kind of access - define resources (in your case directories) that must be accessed by each role - create groups (usually global) for user roles, assign users to groups - create groups (usually local) for role resources, assign rights to resources (directories) - nest groups (usually make global group member of the local gorup) to give users appropriate permissions This approach also facilitates better security, and it also scales well when being used accross complex AD trees and in environments with a great number of users or resources. Kinds of groups that you will use (universal, global, domain local, machine local) depend on the functional level of your domain, as well as your needs. In any case, consult some AD literature for those details, just to be sure. Hope this helps a little, but then again, maybe you knew this all along, sorry if I stated the obvious. - Dubravko
    0 pointsBadges:
    report
  • Gstornelli
    You may want to investigate "document management systems". They are typically designed to provide the exact type of organization/access that you describe.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following