Folder Permission Intersections

  • Thread starter Thread starter beepeeoh
  • Start date Start date
B

beepeeoh

Hi,
I'm not an administrator of any great experience, but I've a folder
permission problem I can't solve.
Everyone in my company is assigned to a division & are a member of the
appropriate divisional group on AD (eg MIIS_RA, MIIS_DA, etc). Each
division has its own Performance Manager & they are included in another
group (Performance Managers).
I would like to restrict a set of folders to just the Performance
Managers, but only allow them to access their own division's data, eg:

Root->
PerformanceData->
AA->
AC->
DA->
etc...

The AA folder should only be accessible if you are in both MIIS_AA and
Performance Managers. I've tried to limit the PerformanceData to just
Performance Managers, then AA to just MIIS_AA, but if the file path is
known, anyone from MIIS_AA can go straight to that folder.
Am I missing something? How can I do this without asking IT to split my
Performance Managers group into Performance Managers_AA, Performance
Managers_AC, etc?

Thanks in advance.

Ben
 
A possible workaround would be to:

Grant change permisisons to AA, AC etc to each relevant MIIS group. Also
grant full control to Domain Admins.

Create a 'limited users' group, for people who are NOT allowed access to
performance info.

To each subfolder, add a Deny permission which excludes anyone belonging to
the 'limited users' group.

The downside of this approach is that you need to be careful when creating
new users, not to leave them with excessive rights.
 
You probably are best off creating a group for the performance managers for
each division and then assigning that group permissions to their folder but
also keep all the performance managers in the performance managers group
that you currently have which would be used to give permissions to the
parent folder. The other alternative is to explicitly grant only the
specific users that are performance managers for each division access to
their folder though in my opinion it is better to create the new groups even
though it is a bit more work initially as it will be much less prone to
making errors assigning permissions and easier to manage when users change
positions since you would only need to change a user's group membership and
not modify the folder's permissions each time.

Steve
 
Thanks for your thoughts, even though they were confirming my fears!
You'd have thought it would've been a fairly simple option to set:

Allow access to the folder where Group="RA_MIIS" AND Group="Performance
Managers"

instead of the "OR" query we get now. What are the odds this will
change in Vista? (I've a fairly good idea as to what the answer will
be, but a guy's gotta dream!)

Looks like I'm gonna have to smile sweetly at the IT department!

Thanks again.

Ben
 
The problem with this work round is that we are an organization of
9000+ users, with about 15 performance managers. I can't see me getting
this "Not Performance Manager" group implemented by IT.

Thanks anyway.

Ben
 
That is not going to change in Vista last I saw. If the user's security
token includes group membership to a group that is allowed access to an
object and is not a member of a group that has deny access the user is in
assuming the user has the user right to access this computer from the
network. You also can tweak the user right for access this computer from the
network to control access to shares. Say you had that share on a server that
the "regular users" did not need access to you could leave permissions as is
and then change the access this computer from the network to include
performance managers, administrators, and other authorized users though
personally I still would configure the new global groups to use in
permissions as part of best practice in assigning permissions to folders
that would protect the folders in case someone changed the user right to
access this computer from the network to allow all users again for that
server.

Steve
 
We're on a corporate SAN with DFS, so creating new shares isn't an
option :-(
I guess I'll have to resort to individual groups.


Cheers

Ben
 
Back
Top