The problem with file system permissions

Posted by Edward Killeen on Tue, Jun 05, 2012

file system permissionsFor years and years,Microsoft has been recommending AGDLP as the way to manage your file system permissions.  User and computer accounts are members of global groups which are members of domain local groups that give resource permissions.  This is, to put it mildly, the old and busted way of doing things (OBWDT for short).

And here is why: try telling me who has access to that file.  You know, a user who is nested within a nested group that nobody knows who manages.  In fact, you don't even know the last time that group was updated.

So, how do you solve this?  True role based access control (RBAC for short).

If you are doing RBAC correctly, you have a metadirectory that is assigning roles dynamically or statically to your users.  These roles are granted access to resources.  Your RBAC-based file share manager will continuously  inventory and monitor for new shared folders and follow a workflow to give the appropriate roles access.

Here's the other side of the coin.  A user knows about a shared file or folder and wants access; I saw this use case on an IAM board on LinkedIn today in fact.  How does that user request access?  Does he or she have any idea what group or groups manage access?  No.

Why not give an easy self service format for the end user to request access to the folder that is routed to the correct approvers?  Without the end user needing to know a single thing about AGDLP or other technical nonsense.  RBAR (rights based approval routing) to the rescue.  This workflow knows who can approve and how long that user can have access.  A top secret folder being accessed by a contractor, give them access for 3 days, no longer.

Just because Microsoft (MSFT) recommends using an old and busted technique (OBWDT) like AGDLP shouldn't stop you from looking into RBAC to properly solve your file system permissions issues.  Schedule a demo ASAP.

Click me

Tags: Role Based Access Control (RBAC)