Better to Gain Access as a Group Than Alone

Recently I discovered something interesting about how information gets managed. Not necessarily security, but more access or permissions in general – sometimes the easy way is the right way. There are IT Professionals who think in terms of users rather than groups when assigning permissions, which makes a rather fun mess when working to figure out who can see/do what and from where.

If an organization has five users for example and the company keeps its files in three folders the overall management of this data is fairly simple.  Adding the users to the ACLs of the folders to get them access is pretty much no big deal. When the organization starts to form teams or departments which require different types of access to certain folders, this can get messy and cause a good deal of clean up later.

When an organization adds only a handful of employees across many departments it may seem like the easy way to manage access to things for these new user accounts is to add them where they need to be, but again, this creates a long chain of things to chase down when something stops working. If the person who put this nice little ball of noodles together ever leaves, the amount of work left for their colleagues is likely to be insurmountable – or at least take more time than any one person has to clean up.

I have both seen this done to save time, and done this myself because access was needed quickly and I could “fix it later”. Bad idea.

What to do when this mess needs to be cleaned up
Look at the results available in the current state. If there are more than a few user accounts with different access needs, talk to a handful of them and work out the access they have and the access they need. This is a good time to get out paper and pencil and start drawing boxes or just writing down the current state. It also doesn’t hurt to write down the desired state as it will help show you what you’re aiming to reach.

When you have an idea of the outcome you need you can consider some options to fix it.  Be careful about fixing things on the move as this will cause re-fixing and permissions adjustments that make a bit of a mess for everyone during the cleanup.

Always have an Admin
If everyone in the “Works on Stuff” department needs read access to files in the “Stuff Created” folder, someone needs to be able to give them this access. There should always be an admin group that can manage the things being used and this group should get created as soon as the problem is identified. Once the admin group is setup and at least one user put in it, someone will always be able to get you out of any messes created from this point forward.

Assign things to groups
When doling out access to files, websites, features etc., consider the group management route. Rather than giving Steve, Jane, and Tony access to a set of files individually when all of them need the same type of access, create a group labeled for this type of access, ie Sales_Read, and assign each of the people who need read access to the sales folder to this new group. This way, when Cosmo needs read access to sales, all you need to do is add him to the group. Next logon – Boom – Read access to sales.

The same holds true at times when a single user account needs access to a resource. Invariably once this is setup another account will come along to need the same type of access, groups can ease administration because once they have access to a resource their members will get that type of access.

Removing previous access
This is a job. It will take some time. Do not assume that everything will be perfect once groups exist. You have groups setup for each resource with needed access types:

  • A read group
  • An Edit/Write group
  • An Admin group

Now you need to populate these groups and ensure the people who need access are in the necessary groups. Adding them is simple enough, but testing their access should be done deliberately. When you test Tony’s access, set up time to work with Tony and let him know he will need to logoff and back on at the beginning of your session, then before meeting him to do so, remove his explicit access. Now you can watch the logon process and start fresh in the testing session.

If the group method is all that is left, when Tony logs on, things should work as directed. He will see little in the way of problems or denied messages.  Now you can proceed in cleaning up the rest of the explicitly assigned users. Following this deliberate method will do a couple things:

  1. It lets you test your new group access strategy
  2. Allows your co-workers to work directly with you in case something might not be quite right

As you move forward in changing from explicit access to group access be sure to document the groups, what they have access to, and their membership just in case the information is needed.

Note: The examples given here are considering a Windows and largely NTFS environment. Keeping access limited to only the amount necessary to perform a duty is also a good idea.

Keep in mind that there may be multiple levels of security for each access type or application type in use. Share Permissions and NTFS Permissions on Windows file systems and other things like Reporting Services or Database access permissions when applications run on top of the general file system.  All of these things may want some of their own control when assigning access and groups may be helpful at any level in the solution.

Using groups to streamline security will cut down on the number of entries tied to a specific resource and reduce the amount of overall work needed to figure out where something is and where it should be when things get out of control.