Print Story File rights
Diary
By jayhawk88 (Mon Sep 12, 2011 at 05:30:50 PM EST) (all tags)
AKA, Fuck You, Microsoft


Here is life in the Novell world. Imagine you have two directory structures:

DATA
-IT
--Department
---Important Info
----Super Important Info
---Not So Important Info
-HR
--Department

Both of these structures are on the same file share, IT and HR have their rights assigned by group to the relevant users. Users map to the DATA share. If I have rights to IT, I don't even see the HR folder.

Now, what a user in IT wants is to be able to give an HR user access to the Super Important Info folder. This is easy in Novell! You simply assign the HR user (or group) rights directly to the Super Important Info folder, and when a user logs in, they now have an "IT" folder, which they drill down into, until they get to Super Important Info. They don't see Not So Important Info, nor any other folders hanging off ITDepartment. Likewise, it's not necessary for you to assign any read/traverse rights on any of the upper folders.

Now, a ASCII representation of how this (apparently) works in Windows:

goatse.cx

Oh sure, Microsoft lures you in with honeyed words like "Access Based Enumeration", but what they don't tell you is that ABE means fuck-all if you're going down more than two levels. I have to assign what I have taken to calling "Five Reads" (Traverse, List Folder, Read Attributes, Read Extended, Read Permissions) to the root DATA folder, assigned to This Folder Only. Which allows HR users to only see the HR folder and IT users to only see the IT folder when they map DATA.

But if I want to directly assign rights between department folders more than one level down, the wheels start coming off. Assigning an HR user rights to Super Important Info will result in the DATA mapping not displaying the IT folder for them, since they do not have any Five Reads permissions to IT. Hence, I would need to assign This Folder Only, Five Reads to IT. Then, I would see IT, but not the Department folder, same issue. And on down.

And because I care about users only seeing the folders they have rights to, I cannot simply just assign Five Reads to DATA and propagate it on down the directory tree. Especially since some departments have a habit of just sitting files in their Department folder.

And now, let's multiply this problem by....a dozen? A hundred? 500? How many of these situations are we going to run into as we transition our entire shared folder structure from Novell to Microsoft? No one here can say; the Novell way has been The Way since they started getting computers around here. The shared folder structure has existed since well before I was hired, 11 years ago. We occasionally find stuff in there with modified dates from 1995.

Perhaps there's a way around this, and if anyone knows of one, please God post it, but if there is Google hasn't been forthcoming. The best solution I see is to just force users from sharing out folders between department structures, and creating separate folders off DATA. If users all have the same rights to such a folder from the top, the problem largely goes away (unless someone is doing a microcosm of the same thing deeper down a structure I guess, you never know around here). Still, I'm growing old by the minute thinking of how we're going to identify any situations like this, outside of checking the file permissions, folder by folder.

< Rules. | A quick entry >
File rights | 15 comments (15 topical, 0 hidden)
You could by Gedvondur (4.00 / 2) #1 Mon Sep 12, 2011 at 05:47:05 PM EST
Go modern with actual collaboration software that abstracts all of this directory structure horse shit.  While Sharepoint might come to mind first, there are other solutions.

At my company (70k employees) we use a number of collaboration tools and even wikis to keep this information available, via web browser, including upload functions.  It abstracts it from the underlying structure and gives more flexibility.




"So I will be hitting the snatch hard, I think, tonight." - gzt
Nice trolling! by Herring (4.00 / 3) #2 Mon Sep 12, 2011 at 07:52:09 PM EST
Sharepoint. Good one.

Or just create a new share in the SuperImportantData directory.

You can't inspire people with facts
- Small Gods

[ Parent ]
Yeah by jayhawk88 (4.00 / 2) #3 Mon Sep 12, 2011 at 08:22:44 PM EST
Honestly the biggest hurdle in this project might be dealing with the fallout of the shared drive letter changing from S to J. Our user base trends more towards "What happened to my Calvin and Hobbes icons?" than "How can I utilize this collaboration tool to improve my workflow?"

[ Parent ]
Bring my icons back, dammit. by ammoniacal (4.00 / 0) #5 Mon Sep 12, 2011 at 10:29:21 PM EST
For reals, dawg.

"To this day that was the most bullshit caesar salad I have every experienced..." - triggerfinger

[ Parent ]
... by Gedvondur (4.00 / 1) #8 Tue Sep 13, 2011 at 08:54:34 AM EST
You need to work with smarter people.

"So I will be hitting the snatch hard, I think, tonight." - gzt
[ Parent ]
good old Novell by clover kicker (4.00 / 0) #4 Mon Sep 12, 2011 at 09:58:50 PM EST
Brings a tear to me eye, that was some fine software right there.

If I'm ever declared Emperor of the world I shall hold gladiatorial games, where the fuckwits in charge of marketing at Novell duel to the death with the fuckheads in charge of designing NT.

Once a winner is determined, I shall unleash the rabid weasels.

The fuckheads. by ni (4.00 / 1) #6 Tue Sep 13, 2011 at 06:48:50 AM EST
Microsoft really should have splurged on someone who knew what they were doing instead of hiring a nobody. Seriously, what made Dave Cutler think he could design an operating system?


"These days it seems like sometimes dreams of Italian hyper-gonadism are all a man's got to keep him going." -- CRwM
[ Parent ]
over the last 15 years NT has mostly caught up by clover kicker (2.00 / 0) #7 Tue Sep 13, 2011 at 07:37:24 AM EST
with NetWare as a file server. NT file permissions are still retarded though.

As the hardware got faster I'll freely concede that NT evolved into a decent desktop OS.

[ Parent ]
Goes further than that by Breaker (2.00 / 0) #14 Tue Sep 13, 2011 at 05:20:19 PM EST
File permissions are a doddle when you're up against RPC across domains, and remote COM+ instantiation.

Windows permissioning model = FUCKED.

I'm not a UNIX weenie by any stretch of the imagination and certainly not an Apple fanboi, but OSX hits the sweet spot between secure and easy to use.


[ Parent ]
Exactly by jaxom green (2.00 / 0) #15 Thu Sep 15, 2011 at 11:39:04 PM EST
Exactly, it's not like he's designed an OS that's still kicking around after 36 years or anything...

[ Parent ]
Just so. by ni (2.00 / 0) #16 Fri Sep 16, 2011 at 02:36:46 PM EST
Fucking inexperienced upstarts.


"These days it seems like sometimes dreams of Italian hyper-gonadism are all a man's got to keep him going." -- CRwM
[ Parent ]
It's still amazing to me by jayhawk88 (4.00 / 1) #10 Tue Sep 13, 2011 at 09:11:04 AM EST
...that a company that had NDS/eDirectory and Groupwise (say what you want, there was a time when it blew Exchange out of the water) is now essentially just waiting to be sold off piecemeal.

[ Parent ]
They split off their Linux distro by Gedvondur (2.00 / 0) #13 Tue Sep 13, 2011 at 04:50:50 PM EST
Whatever it's called.  Spoetzl Linux or something.  They had a booth at VMworld.




"So I will be hitting the snatch hard, I think, tonight." - gzt
[ Parent ]
Novell, man... by wiredog (2.00 / 0) #9 Tue Sep 13, 2011 at 09:09:57 AM EST
I got a Netware CNA Certification back in, ummmm. 93? Never used it.

Earth First!
(We can strip mine the rest later.)

Is this like one of those 2001 retrospectives? by the mariner (4.00 / 1) #12 Tue Sep 13, 2011 at 04:43:15 PM EST
I can see how you'd get in the mood from all the 9/11 stuff.


File rights | 15 comments (15 topical, 0 hidden)