Folder security organization

Photo Credits:henning

Promigra Server Migrator is very flexible when it comes to folder security organization. Each folder or sub folder can have different security settings. But usually the simplest security systems are the best. The default setting in FSC is that security settings are defined only on the first level of user defined folders. All sub folders inherit security settings from the parent. At first this approach might look restrictive, but it often proves itself useful. For example, there could be problems when a child folder has different security settings than the parent folder. By changing the security settings on a parent folder an administrator can also reset the settings on child folders. That means that a child folder could have completely different permission settings than it should have. It can quickly happen that a user doesn’t have access to data that he should have. It can be even worse if somebody gets access to the data that he shouldn’t have! Important information can quickly leak.

That is the reason the FSC by default allows security settings only on one level.

Windows with NTFS permissions allows very detailed permission definitions, which can be granted to users or user groups. This flexibility is useful, but we rarely need that many options. Too many options can quickly become an obstacle. An inexperienced administrator, or a user, will be overwhelmed with that many options. The FSC enables folder owners to decide who has certain permissions to data by themselves. For this to be possible permission granting in FSC has to be as simple as possible. The folder owner has exactly two options: add a colleague to a group with read access, or add a colleague to a group with write access. If a person is in none of those groups he doesn’t have access to the data in that folder. Users in the write user group can create new folders and files, change them and also delete them. Users in the read only group can only read data in that folder. They cannot make any changes.

For each folder with defined security settings FSC creates two security groups, then puts users as members of those two groups. When permissions get granted on folders they are not granted to individual users, but rather to those two groups. This approach brings several benefits. First, security settings are much clearer. Namely, there are no mixed security settings for groups and different users. Another big advantage is that for granting or revoking permissions from users, the administrator does not need access to the file server. It is enough that the administrator has access to the Active Directory Users and Computers Console, where he can add or remove a user from the relevant group. This makes user provisioning in larger systems much easier.