uFiles: Suggested Organization of Folders for IT Professionals

Suggestion of how to organize folders so as to simplify time needed to maintain uFiles

The suggestion below is meant to provide a simple, reliable mechanism for IT Professionals to correctly limit access to uFiles.  Granting a new user access is as simple as adding that user to a groups, and will not require the IT Professional to make any Access Control List changes to folders or files.

For each major College, School, or organizational unit, a share will be created:

\\ufiles\UWM\XYZ

Note that XYZ in the above example is the three or four letter unique designation for a group on campus as determined in the AD Naming Conventions document maintained by the IAM group. Contact the IAM group for group naming conventions.

For each share, two organizational groups will be created:
  • XYZ-uFiles-Administrators
  • XYZ-uFiles-Users
The XYZ-uFiles-Administrators group will have full control of all files, and will have the ability to view, edit, or delete any file.  Membership in this group should be limited to "-a" administrative user accounts, and should not be granted to individual users or large groups.

The XYZ-uFiles-Users group contains all the individuals and Active Directory groups that will have permission to change files.

uFiles understands and supports Access Based Enumeration.  This feature means that users see only files and folders that they have been granted access to see. 

For each College or School, sub-groups for every organizational unit are created (and probably already exist in Active Directory).  Groups should be arranged in a hierarchy for the organization. Use an organizational chart as a starting point.

People at the top of the chart can typically see everything. People at the bottom can only see their terminal end of the branch.
Example Group Structure

  • XYZ-uFiles-Users
    • XYZ-uFiles-Division1
      • XYZ-uFiles-Division1-Group1
      • XYZ-uFiles-Division1-Group2
    • XYZ-uFiles-Division2
      • XYZ-uFiles-Division2-Group1
        • XYZ-uFiles-Division2-Group1-Team1
      • XYZ-uFiles-Division2-Group2

Each group above is a member of the group above it. Each group above is granted change permission to the directory branch below corresponding to the group name, but there is no inheritance of permissions at this level.

Here is an example file structure for the above Group structure:

\\ufiles\UWM\XYZ
\\ufiles\UWM\XYZ\Division1
\\ufiles\UWM\XYZ\Division1\Group1
\\ufiles\UWM\XYZ\Division1\Group2
\\ufiles\UWM\XYZ\Division2\Group1
\\ufiles\UWM\XYZ\Division2\Group1\Team1
\\ufiles\UWM\XYZ\Division2\Group2

Thus in order to grant access to the Team1 folder above, you only have to add a user to the XYZ-Division2-Group1-Team1 group in Active Directory.

Access Control Lists can often be problematic to fix or especially edit.  For unusual circumstances, it is suggested that you use "cacls" from the command line to edit folder permissions because it allows the user of the /E switch to edit an existing ACL instead of replacing it.



Keywords:uFiles   Doc ID:64519
Owner:Kevin M.Group:UW-Milwaukee Help Desk
Created:2016-06-28 11:03 CDTUpdated:2016-10-18 13:39 CDT
Sites:UW-Milwaukee Help Desk
Feedback:  0   0