Managing access with Rules and Roles
Working to manage a team of individual staff members and manage the individual staff members is a day to day experience for the IT manager. Getting a bunch of new information out to your team is easier when done in a group setting rather than by talking to each individual staff member but some information should be handled in the one on one type situation.
Many organizations manage Active Directory in much the same fashion. Creating a group to provide access to a resource has been in practice since the pre-AD networks of Windows NT, but there are even better ways to manage these items and in this post I plan to look at using groups differently and how doing so might be an easier method.
Rules
All organizations have rules. Dress codes, smoking policies, hours of operation, all of these are rules that the employees must follow to comply with corporate policy. The same method can be used in managing network access. Use a rule to provide access of a specific type to a resource.
Consider the following:
An organization has a file server with two folders, Sales and Accounting, some employees need to see the contents of the sales folder while others need to change the contents of the folder. The users who need either of these are different from those who need access to items in the Accounting folder, however the Cheif Marketing Officer has been working on a project and needs read access to accounting. As you can see there is overlap in the area of who needs access to what and what kind of access they need.
The above example of providing needed access to resources isn’t too bad for a two folder organization, however what would happen if there were suddenly 500 folders and 1500 users needing some kind of access to those folders. That might be a bit more unwieldy.
So what can we do about it? Simple. Start thinking differently about the issue.
Determining how many types of access that you might need will get you off on the right path here. Typically there are the users who need to add, modify, or remove items from a folder and the users who need to see the items in the folder. Two access constraints for each folder doesnt seem so bad.
Creating a group in AD for each type fo access to each folder will help you by defining the rules. Using a Domain Local Group keeps the access to the resource within the AD domain in which the resource lives. Here’s and example:
With our sales and accounting folders we could create four groups, two groups for each folder, to handle the permissions on that folder. One for editing and one for reading.
Accounting: perm_accounting_edit and perm_accounting_read
Sales: perm_sales_edit and perm_sales_read
The names are short and descriptive
perm – what the group controls (permissions)
sales – which folder (or resource) the group acts on
edit/read – the type of access the group allows
This way the access to the resource is controlled by a group that handles that one task and lives in the domain of the resource, keeping things as simple as possible.
Once the groups are created, assigning the permissions to the folders will complete the process. For the accounting groups complete the following tasks:
1. Open the folder containing the accounting share
2. Right click the Accounting folder and select properties
3. Click the Security tab and click the Add button
4. Enter the name of the user or group to add permissions for and click Check Names. In this case you will add perm_accounting_read and perm_accounting_edit.
5. Click OK on the Select Users, Computers, or Groups dialog
6. Select the perm_accounting_edit item on the security tab
7. Click the advanced button
8. Select the newly added group in the Permission Entries list
9. Click the Edit button to modify the permissions for the group
10. Ensure that the List Folder/Read Data, Traverse Folder/Execute File, Create Files/Write Data, and Create Folders/Append Data choices all have the Allow box checked.
For the Read group you would assign allow permissions to List Folder/Read Data and Travers Folder/Execute File
11. Click OK on the Permission Entry dialog box and the Advanced Security Settings dialog box
12. Click OK on the Properties dialog for the resource.
For the sales folder in the above example, open the properties sheet for the Sales folder by right clicking the sales folder and choosing properties. Then complete steps 3-12 substituting the sales read and edit groups for the accounting read and edit groups.
Note: Since editing a folder really consists of writing objects to the folder, you will need to select the Read folder content to allow access to view items in a folder and write folder content to allow creation of items in the folder
This will allow you to individually select permissions for the selected security item, keeping the permissions assigned to the folder restricted to only the actions they need to accomplish their tasks.
Now that the rule groups have been created, placing the bevvy of user accounts in those groups is as easy as adding all the users and that should be it. While this is technically true, there is a method to the user accounts portion of this process too.
Roles
When an individual gets a job, they are assigned a role in an organization. The maintenance staff works to keep things like the air conditioner working when it is needed. The IT staff works to keep the servers running and the marketing interns help get all of the mailings out to customers as soon as policy.
The position encompasses the responsibilities the user is expected to complete as a part of their job. Access to resources will likely be tied to the positions of the employees. For example, the employees in the accounting department will need access to resources related to their position.
To manage the accounting employees as a single unit, you might create a group and make them all members of that group, perhaps empl_accounting to denote that the members of this group are user accounts in the accounting department and an empl_sales group to group the sales employees together.
This way managing the access to resources for accounting employees can be handled by assigning the needed rights to folders to the empl_accounting group. Easy as pie right, adding the group to the access control list for each resource it might need and assigning it appropriate permissions to the resource.
Putting it all together
Thus far, we have created groups to manage specific types of access to specific resources and different groups to manage user accounts with similar needs. This will help keep the access simplified and the management of employees simplified.
To provide the accounting employees with access to the accounting folder, simply add the empl_accounting group as a member in the perm_accounting_edit group. This will provide the employees in the accounting department the ability to edit the contents of the accounting folder.
For the Chief Marketing Officer, you could add his user account to the perm_accounting_read group, or depending on other employee groups and membership, add one of those groups to the perm_accounting_read group. This would provide a simplified management structure for both user accounts and access to resources.
Streamlining resource access and the users to which access is assigned can reduce the headaches and stress associated with managing Active Directory and improve IT productivity at the same time.
