----Super Important Info
---Not So Important Info
Both of these structures are on the same file share, IT and HR have their rights assigned by group to the relevant users. Users map to the DATA share. If I have rights to IT, I don't even see the HR folder.
Now, what a user in IT wants is to be able to give an HR user access to the Super Important Info folder. This is easy in Novell! You simply assign the HR user (or group) rights directly to the Super Important Info folder, and when a user logs in, they now have an "IT" folder, which they drill down into, until they get to Super Important Info. They don't see Not So Important Info, nor any other folders hanging off ITDepartment. Likewise, it's not necessary for you to assign any read/traverse rights on any of the upper folders.
Now, a ASCII representation of how this (apparently) works in Windows:
Oh sure, Microsoft lures you in with honeyed words like "Access Based Enumeration", but what they don't tell you is that ABE means fuck-all if you're going down more than two levels. I have to assign what I have taken to calling "Five Reads" (Traverse, List Folder, Read Attributes, Read Extended, Read Permissions) to the root DATA folder, assigned to This Folder Only. Which allows HR users to only see the HR folder and IT users to only see the IT folder when they map DATA.
But if I want to directly assign rights between department folders more than one level down, the wheels start coming off. Assigning an HR user rights to Super Important Info will result in the DATA mapping not displaying the IT folder for them, since they do not have any Five Reads permissions to IT. Hence, I would need to assign This Folder Only, Five Reads to IT. Then, I would see IT, but not the Department folder, same issue. And on down.
And because I care about users only seeing the folders they have rights to, I cannot simply just assign Five Reads to DATA and propagate it on down the directory tree. Especially since some departments have a habit of just sitting files in their Department folder.
And now, let's multiply this problem by....a dozen? A hundred? 500? How many of these situations are we going to run into as we transition our entire shared folder structure from Novell to Microsoft? No one here can say; the Novell way has been The Way since they started getting computers around here. The shared folder structure has existed since well before I was hired, 11 years ago. We occasionally find stuff in there with modified dates from 1995.
Perhaps there's a way around this, and if anyone knows of one, please God post it, but if there is Google hasn't been forthcoming. The best solution I see is to just force users from sharing out folders between department structures, and creating separate folders off DATA. If users all have the same rights to such a folder from the top, the problem largely goes away (unless someone is doing a microcosm of the same thing deeper down a structure I guess, you never know around here). Still, I'm growing old by the minute thinking of how we're going to identify any situations like this, outside of checking the file permissions, folder by folder.
|< Rules. | A quick entry >|