File Dynamics provides the ability to provision and manage folders that can be owned by multiple Active Directory security groups. Each group’s access to these folders is dependent on the security group object’s security principal. For example, one group’s access could be Read-Only, another’s could Read/Write, and another’s could be Full Control. Based on their support for multiple security principals, these folders are known as “Multi-Principal Managed Paths,” and they are issued through “Multi-Principal Collaborative Storage” policies.
Multi-Principal Managed Paths are owned and accessed by security groups with the same group prefix name separated by a suffix separator, and then distinguished by a unique security separator. In Figure 8-6 for example, the managed path Group1 is owned by both Group1-RO and Group1-RW, with the members of each group having Read Only and Read Write permissions respectively.
Figure 8-6 Example of a Multi-Principal Managed Path
Security groups that own and access a Multi-Principal Path must be in the Group_Prefix_Name-Security_Suffixformat. In Table 8-1, the naming components of the security group names in Figure 8-6 are identified.
Table 8-1 Components of Security Group Names Owning and Accessing Multi-Principal Paths
Group Prefix Name |
Suffix Separator Character/Sequence |
Security Suffix |
---|---|---|
Group1 |
- |
RO |
Group1 |
- |
RW |
The group prefix names cannot be different. For example, you cannot have Accounting-RW and Sales-RO groups managed by a Multi-Principal Collaborative policy against the same managed path. Multiple groups are considered to be participating in the security of the managed path if they have the same group prefix name up to the well-defined suffix separator string. The suffix separator can be a character or a string of characters and is configured in a Multi-Principal Suffix Mapping Action Block.
The change in paradigm to support Multi-Principal Managed Paths requires the introduction of a new Multi-Principal Collaborative policy type. The policy follows the standard association rules to support effective policy calculation. This means that the policy can be associated to a container or directly to security groups.
The new policy type provides the ability to link to a Multi-Principal Suffix Mapping Action Block where the separator character or string sequence that differentiates the group’s name from its security suffix.
To handle the constraints on the managed path imposed from multiple security principals managing a folder, new provisioning and de-provisioning events have been introduced. The primary reason for this is that provisioned managed paths for the Multi-Principal Collaborative policy can be thought of as referenced-counted based on the number of participating security groups. For instance, if Group1-RW, Group1-RO, and Group1-A all have active ACEs on the managed path, then the reference-count for the managed path is 3 and deletion of only one of these groups does not imply deletion of the folder as a whole. Rather, when any given security principal is deleted or moved out of policy scope, the corresponding event needs to scan the corresponding Active Directory container to look for the presence of any other groups by the group name prefix. If none exist, then the folder can potentially be scheduled for cleanup, otherwise no action is taken, except for when the ACE is removed.
Similarly, for provisioning, the first group for which an event is received would be responsible for creating the folder based on the group name prefix and assigning its respective rights. Any other events for complimentary groups must perform the equivalent of an apply permissions (ACE) in order to populate their respective transform entries. This allows for a flexible implementation that does not require a base security principal to be created first.
Structure Active Directory in a logical manner for the new groups that you will be creating.
For example, a division of a company has many departments with complex permissions. For instance, the Accounting Department might have a group of individuals that need Read/Write permissions, while another group needs Read Only.
Structure your network file system so that there is a storage area that will host the collaborative storage for the new groups.
As an example, the file system might look like this:
This procedure lets you standardize the groups and their associated permissions for the collaborative storage folders that will be provisioned by File Dynamics.
In the Admin Client, click the Identity Driven tab.
Click Action Blocks.
From the Manage menu, select New > Multi-Principal Suffix Mapping.
Enter a descriptive name for the new Action Block and click OK.
The following page appears:
Click Add.
In the Security Suffix column, highlight SampleSecuritySuffix and edit it to a more descriptive name of a group that will access the collaborative storage folder.
For example: Shipping.
Click the Full Control setting to access a drop-down menu of access permissions.
Specify the permissions for the particular group and click OK.
Repeat Step 5 through Step 8 to create all groups and permissions to the collaborative storage folder.
Click Apply.
Click OK.
In the Admin Client, click the Identity Driven tab.
Click Policies.
In the Manage menu, select New > Group Multi-Principal Collaborative.
The following dialog box appears:
Specify a descriptive name in the Name field and click OK.
Proceed with Setting Policy Options.
Verify that the Process Events for Associated Managed Storage check box is selected.
Verify that the Policy applies to subcontainers check box is selected.
(Optional) Enter an expanded description of the policy in the Description field.
Proceed with Setting Associations.
Click Associations.
Click Add.
In the browser, locate the organizational unit where the group objects will reside and drag it to the right pane.
Click OK to close the browser.
Proceed with Setting Provisioning Options.
Click Provisioning Options.
Click Link Action Block, select the Action Block you created earlier, and click OK.
In the Path Owner region of the page, click Browse and browse to specify an owner of all of the collaborative storage folders that will be created with this policy.
(Optional) In the Template Folder region, click Browse to specify a template for the collaborative storage folders that will be created by this policy.
Proceed with Setting the Target Path.
Click Target Path Options.
In the Target Paths region of the page, click Add.
In the browser, locate the share or folder where the collaborative storage folders will reside and drag it to the right pane.
Click OK to close the browser.
Click Apply.
Proceed with Setting Cleanup Options.
In the Vault on Delete region, select the Enable check box.
Click Browse.
In the browser, locate the share or folder where deleted folders will be archived once all of the groups that own a collaborative storage folder have been deleted and click OK.
Click Apply.
Click OK to close the Policy Editor.
Proceed with Testing the Policy.
These procedures let you verify that the policy is functioning as you designed it.
In one of the organizational units associated with the new Multi-Principal Collaborative Storage policy, create a new group that includes a - and one of the security suffixes you established earlier.
In the same organizational unit, and using the same group prefix name and suffix separator, create additional groups for each of the security suffixes you created earlier.
Using File Explorer, verify that each of the collaborative storage folders were created.
While still in File Explorer, verify that the permissions for each of the groups are correct.
Once you have verified that the Multi-Principal Collaborative Storage policy is creating collaborative storage with the correct access permissions for the various groups, create the remaining groups in all of the organizational units associated with the new Multi-Principal Collaborative Storage policy.