Promigra Server Migrator

Photo Credits:henning

Promigra Server Migrator is very flexible when it comes to folder security organization. Each folder or sub folder can have different security settings. But usually the simplest security systems are the best. The default setting in FSC is that security settings are defined only on the first level of user defined folders. All sub folders inherit security settings from the parent. At first this approach might look restrictive, but it often proves itself useful. For example, there could be problems when a child folder has different security settings than the parent folder. By changing the security settings on a parent folder an administrator can also reset the settings on child folders. That means that a child folder could have completely different permission settings than it should have. It can quickly happen that a user doesn’t have access to data that he should have. It can be even worse if somebody gets access to the data that he shouldn’t have! Important information can quickly leak.

That is the reason the FSC by default allows security settings only on one level.

Windows with NTFS permissions allows very detailed permission definitions, which can be granted to users or user groups. This flexibility is useful, but we rarely need that many options. Too many options can quickly become an obstacle. An inexperienced administrator, or a user, will be overwhelmed with that many options. The FSC enables folder owners to decide who has certain permissions to data by themselves. For this to be possible permission granting in FSC has to be as simple as possible. The folder owner has exactly two options: add a colleague to a group with read access, or add a colleague to a group with write access. If a person is in none of those groups he doesn’t have access to the data in that folder. Users in the write user group can create new folders and files, change them and also delete them. Users in the read only group can only read data in that folder. They cannot make any changes.

For each folder with defined security settings FSC creates two security groups, then puts users as members of those two groups. When permissions get granted on folders they are not granted to individual users, but rather to those two groups. This approach brings several benefits. First, security settings are much clearer. Namely, there are no mixed security settings for groups and different users. Another big advantage is that for granting or revoking permissions from users, the administrator does not need access to the file server. It is enough that the administrator has access to the Active Directory Users and Computers Console, where he can add or remove a user from the relevant group. This makes user provisioning in larger systems much easier.

Photo Credits:Syntopia

Initial structure of the new folder organization is very important. The reason you are thinking about rearranging your shared folders is likely because they are chaotic, the data is mixed up or saved to wrong places. You probably do not want to have the same problem in the new shared folder structure. There is no single right base structure. Construct the base folder structure in such way that your users feel comfortable using it, keeping in mind that not every user will be satisfied with the structure you select. The more users take part in the decision process the harder it is. Get together a small group of key users and decide on folders that will form the base for the new structure. Keep in mind that the new structure should make it easier to find the data, so be careful to not make the structure too complicated.

Pay the same amount of attention to rules for naming folders. When users start creating their folders they need simple and easy-to-use rules in place for folder naming. This is especially important in multilingual organizations. Sometimes it is very difficult to understand somebody that speaks your language, but with a foreign accent. Imagine that you are an administrator and a user asks you to change permissions on a folder. It is very important that you understand correctly what he wants. It is even more difficult when a user asks you to change permissions on a folder that is in foreign language. The folder name might even use characters you don’t have on your keyboard! In global organizations it might be easier if you have defined one language as the official corporate language. In that case, you can require that all folders that should have defined permissions must be written in that language. For folders deeper in the structure that inherit security settings from their parents you can allow users more freedom.

When Promigra Server Migrator prepares scripts for folder rearrangement it also creates scripts for building Active Directory security groups. It builds security group names from actual folder names. As you can use characters in folder names that are not allowed in Active Directory it has to replace those characters with underscores. The administrator’s life will be much easier if you try to have AD security group names and folder names as close as possible. Keep that in mind when you prepare folder naming standards.

However you decide your standards to be, keep them as simple as possible.