Optimize access to files and folders.
One of the NTFS foundations Microsoft wants you to understand is how to properly design a folder structure to correspond with solid security principles. Even though this is a gray area between server administration and desktop OS administration, understanding this concept will help you in your technical career.
By default, new folders and files created in a directory inherit the security permissions of the parent. Due to this design fundamental, as you design a folder security layout, you should think about having the most general groups have security access at the root folder with tighter security as you go into each layer of sub-folders. For example, let’s assume you are designing a folder structure on your file server for all of the departments in your company, it might look like this:
Department Change Rights for Domain Users |
|||
|
HR Change Rights for HR Security Group |
Finance Change Rights for Finance Security Group |
MIS Change Rights for MIS Security Group |
Operations Change Rights for Operations Security Group |
|
Benefits Change Rights for Benefits Security Group |
Payroll Change Rights for Payroll Security Group |
Training Change Rights for Training Security Group |
|
|
|
|||
If you start at the top of the flow, you see the Department folder which has Change security Rights for Domain Users. If you follow each level of yellow folders, you see that the security rights get more fine tuned at each level, first for the HR team, then for each department folder within HR, and so on. A Finance user can get into the Department folder, then into the Finance folder, but not into the HR, MIS, or Operations folders.
Likewise, a member of the Training group in the HR department can get into Department, then HR, then Training, but not into Payroll or Benefits folders.
Best practice entails creating security groups and assigning these groups rights to folders, instead of assigning rights for individual users for department folders.
Comments