Servers

Only novices assign users to shares

Erik Eckel makes the case for why consultants should assign group rights to server shares, and then assign users to groups.
One hallmark of an apprentice consultant is assigning users to server shares. It's a subpar practice, and consultants should avoid the habit altogether.

How it happens

I'm guessing a novice consultant, pressed for time or potentially overwhelmed with other client responsibilities, works quickly to create a new folder. Maybe the client is requesting a new file share to enable collaboration among accountants or marketing staff.

Based on complex, undocumented, and massively failed file share structures my consulting office occasionally inherits, I know what ends up happening. Rather than taking time to properly configure file shares and architect the appropriate group and corresponding user memberships, the consultant just adds Jane Smith and John Doe (the users the client requested have access to the new folder) to the new server share.

That'd be all fine and good if life stopped there, but it doesn't.

The real world

Two months later a new subsidiary is launched, and only Jane is supposed to have access to the subsidiary folder. So, while likely remotely addressing another server issue, the consultant might remotely connect to this client's server, quickly add a new folder, and extend Jane permissions to that folder.

A few weeks go by and a similar task occurs for John. Then a few more months pass, and a few more shares are added in like fashion for Jane, a new user named Jill, and a volunteer named David. Maybe a few service calls arise to switch a few permissions around. Typically these tasks are completed on the fly to enable quickly closing a trouble ticket queue that's getting out of hand.

At one point the client wants some users in the marketing department to access accounting files, but to be safe, the client doesn't want that department to be able to change accounting's files. The marketing employees are given read-only access.

Jane ends up transferring from the accounting organization to the sales team. She stays a few months and then leaves the organization. Her replacement, Donna, only hangs around for a few weeks. The short-lived Donna is replaced by Robert.

And then the real trouble arises. It's discovered that David, the volunteer, can see sensitive donor information only Jill is supposed to see. Robert, meanwhile, can't access new files Donna created. Oh, and Mike, a user who has been logging in as Donna because he couldn't access files he needed, and Donna was the only person who could, can access some files but can't edit them. Then John leaves the organization. That's when you're called in as the new consultant to sort out the mess.

"Just give Dan, John's replacement, the same permission John had," the client says.

Fun stuff. And what permissions does John have? No one knows. You'll lose quite a bit of time reverse-engineering just which server shares John can access and which permissions he actually possesses to each share. By the time you're done, you'll be cursing the previous consultant.

Avoid becoming an offender

Consultants -- because they frequently work within incredibly demanding and rapidly changing environments in which clients routinely pelt them with extraneous requests and sometimes don't take time to document through dedicated internal HR and IT teams user access rights -- must take particular care to follow best business practices. By assigning users to groups and assigning groups permissions to server shares, it becomes much easier to administer, configure, and troubleshoot permissions issues.

If the original consultant in the above example had followed such practices, it would be simple to know to which folders Dan should receive permissions. It's easy -- just look at John's group memberships and mimic those for Dan.

But when individual users are given permissions -- particularly varying permissions -- directly to server shares, unless meticulous records are kept (and they never are, and even if they were the client would misplace them), access rights nightmares are inevitable. Consultants should assign group rights to server shares, and then assign users to groups.

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

17 comments
mtpemberton
mtpemberton

Sometimes Jane just needs access to the P drive :).

Charles Bundy
Charles Bundy

What is outlined isn't so much a technical problem as a documentation and approval process failure. Whoever handles personnel info should have file documentation on account creation, modification and deletion when employee status changes. Who requested/approved it as well as specifics on what was asked for. Groups are not a solution to the above underlying problem they are simply a different level of security and should be treated as such.

Justin James
Justin James

... like when making a private share for just that user. :) J.Ja

tbmay
tbmay

But once again, I wonder how much of that is the client being unwilling to pay for the time to do it right.

Michael Kassner
Michael Kassner

It is not constructive to make sweeping statements. The smart consultant will do what best suits each individual situation. Chip brought up one reason, there are many others. Also, I would submit that the size of the organization plays a key role in how permissions are doled out.

Sterling chip Camden
Sterling chip Camden

Groups help with that abstraction, but it's also possible to get groups into a tangled mess if they aren't properly divided along lines of responsibility. If Group A is "all the things that John can do" and group B is "all the things that Mary can do" then you still have a problem when you want to introduce someone whose set of responsibilities overlaps both of those groups but is a superset of neither one.

AnsuGisalas
AnsuGisalas

I had just gotten around to upgrading my expectations... now it seems like I'll have to go through the process of deprecating them again :( And it would have been so easy to write up a "5 steps to keep your user-shares untangled"... Erik, if you read this, try being more positive in your writing, all this adversarial profiling makes your writings hover over the recycle bin... antagonistic thinking is a surefire way to get a bad ulcer going.

tbmay
tbmay

...he was not really talking about those kinds of exceptions, but rather, the too often used practice of simply giving one more user permissions to a share...with lots of other users. In a perfect world, if I were giving an individual user a share, I'd probably simply tell them to use their home folder....give them more space if necessary...but that would be my first thought. All that aside though...this is one of the things that has been causing IT-User irritations for a long time. I remember all too well the desire to keep the Novell Tree pure, clean, and right-as-rain. Mr. or Ms. Bigshot Bank Boss walks in and says I want Mary to have access to the same thing Joe in another department has....NOW. From a consultant point of view it's even more difficult because the small business customer doesn't know, doesn't care, and "we'll cross that bridge when we get there." And when he's made a mess for himself, he'll go to the next guy and blame you for the mess. It's always good to know how many IT guys a business has been through.

Sterling chip Camden
Sterling chip Camden

... and don't even tell the client that there was a faster, sloppier way that would have cost them more in the long run. It's in everyone's best interest.

MikeGall
MikeGall

Here is our 5 new hires please set their accounts up NOW because they can't do anything until they can access the systems. Or a whole lot of "Bob is just like Jill except (followed by 20 minutes description of how Bobs on a dozen committees that Jill isn't etc).

AnsuGisalas
AnsuGisalas

My instinct would be to "unify by division", cutting the available sources into their tiniest parts, then assigning access to each part individually, via a 2D map; users go on one axis, access permission types go on the other. Should be relatively simple to keep track of.

MikeGall
MikeGall

Often tasks aren't divided along clear job description but ability. For example I do all programming work in my department because I have experience and skills in that area. So I have some pretty godlike access to a lot of our data that other people don't. That said if I get replaced the next person won't necessarily have my skillset and so giving them full control of the source code repositories, patient databases etc is probably not a good thing. This is not very uncommon now. With all the cross-functional teams that popup to share a persons particular skillset more broadly with different groups in the organisation you end up with "this guys an Excel wizard but he shouldn't see the Crystal reports everyone in our group sees" kind of things. Massive customized access. In general though whenever possible the posts recommendation should be followed. If you can find a core set of access everyone in the department should have for example then add people to that group when they enter the department makes sense.

Sterling chip Camden
Sterling chip Camden

Inflammatory headlines can be good for attracting traffic. I don't know if that's Erik's motivation. I don't even know whether to hope so.

eXOBeX
eXOBeX

At least on a Novell tree you could easily find out what a user had access to, at-a-glance. When we migrated to Windows Server 2008 R2 we ended up creating three groups for each of almost 500 top-level folders. One group (RW) has read-write, another (RO) read-only, the third (TR) has traverse rights (as read-only but for "this folder only"). If any specific rights need to be assigned deeper in the tree, more groups are created and made members of their parent TR group. A total fudge to get anywhere near the flexibility of Novell (grant access to whole folder tree without repermissioning every file inside it, see at-a-glance what a user has access to) but it works. Why 500 top-level folders? Originally there were over 50 servers, these had been merged down to a handful of big NetWare servers, now they're on a pair of (fail-to-)failover clustered servers. They're being whittled down slowly, these days you won't get a new top-level folder without a cast-iron reason!

MikeGall
MikeGall

For example I work in healthcare in Ontario. We have freedom of information coming into effect in 2012. Our "personal" folders are now accessible by the privacy office and our managers. If a information request comes in the managers need to be able to look through everything and find out what is sensitive and what can be shared. It's a tough trade off but for the most part I think personal shares should be minimized. I've worked in situations where a manager used his laptop for personal use at home and its harddrive was set to sync with the corporate SAN "home directory" for backups. Well you guessed it, every morning all the movies and what not he downloaded the previous day was backed up onto two copies of tape. Not an intended behavior. Also I've had people quit their jobs and then come back a year later and say something like "oh that report your looking for is on my home directory", or "do you still have my home directory I had my only copy of my honeymoon pictures on it". Since people are not supposed to be using corporate systems for personal use, by definition none of the files on a fileserver should be personal. They could be restricted to a role (eg. CFO and CEO only) but saying something like only "Bob" has rights is a really bad practice since Bob's role could change, when it does you'll be left figuring out "who's Bob now" as the article mentions etc. If people know others can see the folders they put less crap into them, and hopefully label things more appropriately so other people can figure out what is in them versus some cryptic naming convention that only they understand.

Sterling chip Camden
Sterling chip Camden

Even though you'll undoubtedly run into situations where you made those divisions incorrectly (usually by not dividing enough), starting with that approach makes it easier to correct.

Justin James
Justin James

My hope here was that the TR staff assigned a headline without asking Erik, that was a bit more attention grabbing than he intended... but then I re-read the article and saw that the headline matched his intentions just fine. J.Ja