This post is more than 5 years old
1 Rookie
•
20 Posts
0
10858
November 30th, 2015 01:00
Regarding Isilon Sub-Folder share permission
Dear All,
I need help on the following:-
Parent folder:- /ifs/data/projects
Subfolders:- /ifs/data/projects/engg, /ifs/data/projects/dev
Users:- usera,userb,userc
SMB Export Name:- smb1
SMB Export Path:- /ifs/data/projects
SMB Export/Share Permission:- Administrator -Full access, Everyone - Read access
Requirements:- end "usera" should able to access "/ifs/data/projects/engg". it doesn't work since "usera" does not have any permission in "/ifs/data/projects", but he is having full access in "/ifs/data/projects/engg".
Error:- "usera" dose not have enough privileges. So I tried like changing export path from "/ifs/data/projects/" to "/ifs/data/projects/engg" and it works. But customer does not want to export "/ifs/data/projects/engg", since they have many-many subfolders with different end user permissions. So they want to export only:- /ifs/data/projects & usera, userb should able to acces /ifs/data/projects/engg.
Please let me know if any one come across the similar situation and if any idea/solution for this. please share me the same.
Thanks in advance.
gunalan
1 Rookie
•
20 Posts
0
December 13th, 2015 22:00
Dear All,
Thanks for your valuable inputs. Finally I did work around and fix the issue. However it could be fit for mid-range environment. The fix is as follows:-
1. Create the folder under file system explorer "/ifs/data/Prod"
2. Create sub-folder under "/ifs/data/Prod/project" and "/ifs/data/Prod/dev"
3. Create SMB export "prod" with the export path "/ifs/data/Prod"
4. Login as root to the ision by accessing this "prod" share - \\isiloncluster\ifs\
5. Go to properties of "/ifs/data/Prod" folder, go to security tab and add the customer admin user with full permission and other end users [usera, userb]. Then click "Advanced" tab , Select "Change permission", Select/Edit the user "usera" with "Traverse" permission in "Allow" and the rest all permission in "Deny" column, also Keep "Apply to" should be "This Folder, Sub Folder and Files" , but assign full permission for them in the subfolder "/ifs/data/Prod/project" and "/ifs/data/Prod/dev" respectively. To achieve the subfolder full permission for usera & user b go to properties of "/fis/data/Prod/project" and "Advanced" --> "Change Permission" ---> Add "usera" and set full permission in the "Allow" column as required.
6. Here I took usera as an example, in customer environment it could be "group" permission but the procedure is same.
7. Now the challenge is here as long as the business unit grows it is very difficult to follow the same however if the BU is medium size and you are using "group" permission to manage users then this could help you.
***********So I am marking this discussion as correct answer. ******** However I would appreciate that if any one tried the same and share us the feedback that is great..
Thanking to all and if any one need more information on this please let me know. I have screen shot for the above mentioned but don't know how to upload here.
thanking again to all.
sluetze
2 Intern
•
300 Posts
0
November 30th, 2015 01:00
set the NTFS-ACLs on /ifs/data/Projects in a way that usera and userb are able to acces it. (authenticated users: read)
to increase security you could enable ABE to prevent them from viewing folders they do not have permissions for.
Edit:
im not quite sure, but isn't it possible under Windows to access a subfolder without haveing permissions on the topfolder, as long as you specify the complete path to the directory where you have the permissions? this means a direct map of \\isiloncluster\smb1\engg should work even if there are no NTFS permissions on /ifs/data/projects. A mapping of \\isiloncluster\smb1 would not work in this case.
dynamox
9 Legend
•
20.4K Posts
0
November 30th, 2015 06:00
remember that most restrictive permission wins, if you have read only on the share and full on folder permissions ..user will have read only permission.
gunalan
1 Rookie
•
20 Posts
1
December 14th, 2015 01:00
Dear All,
Thanks for your valuable inputs. Finally I did work around and fix the issue. However it could be fit for mid-range environment. The fix is as follows:-
1. Create the folder under file system explorer "/ifs/data/Prod"
2. Create sub-folder under "/ifs/data/Prod/project" and "/ifs/data/Prod/dev"
3. Create SMB export "prod" with the export path "/ifs/data/Prod"
4. Login as root to the ision by accessing this "prod" share - \\isiloncluster\ifs\
5. Go to properties of "/ifs/data/Prod" folder, go to security tab and add the customer admin user with full permission and other end users [usera, userb]. Then click "Advanced" tab , Select "Change permission", Select/Edit the user "usera" with "Traverse" permission in "Allow" and the rest all permission in "Deny" column, also Keep "Apply to" should be "This Folder, Sub Folder and Files" , but assign full permission for them in the subfolder "/ifs/data/Prod/project" and "/ifs/data/Prod/dev" respectively. To achieve the subfolder full permission for usera & user b go to properties of "/fis/data/Prod/project" and "Advanced" --> "Change Permission" ---> Add "usera" and set full permission in the "Allow" column as required.
6. Here I took usera as an example, in customer environment it could be "group" permission but the procedure is same.
7. Now the challenge is here as long as the business unit grows it is very difficult to follow the same however if the BU is medium size and you are using "group" permission to manage users then this could help you.
Thanking to all and if any one need more information on this please let me know. I have screen shot for the above mentioned but don't know how to upload here.
thanking a
sluetze
2 Intern
•
300 Posts
0
December 14th, 2015 05:00
what you did (in my words) is to give them proper NTFS rights to access /ifs/data/Prod.
just my 5 Cent:
- never use user-accounts in NTFS Permissions. always use groups
--> if a user leaves, you will have remaining "lost" SIDs
--> if the Access for the Group is not needed anymore you normally delete the whole structure (if properly diverted)
--> if you have to give an additional user permissions you can just join him to the Group and don't have to set permissions to the whole Folder-structure.
- where applicable use wellknown SIDs like "authenticated users" since this abstacts even more complexity. Use ABE to make the things more secure and stop irritating the user.
- only use deny permissions if you want to deny Access to a user(Group) that has Access on topstructures, and you are unable to stop inheritance on that Folder.
otherwise Troubleshooting the structure gets fricking complicated.
and last but not least:
think about a role/rightsmanagement BEFORE you build the structure.
dynamox
9 Legend
•
20.4K Posts
0
December 14th, 2015 08:00
very convoluted to say the least, you are making it too complicated than it should be.
/ifs/data/prod - give traverse permissions to either authenticated users or some other group that can be easily modified to add other groups
/ifs/data/prod/development - remove inheritance and set permissions as you see fit
/ifs/data/prod/projects - remove inheritance and set permissions as you see fit
take advantage of ABE as sluetze mentioned before.