Adjusting permissions on ACL shares
This page is intended for university system administrators.
General information about ACL Shares can be found at the following page.
Adjust permissions on folders
System administrators can adjust the NTFS permissions on the folders in an ACL share.
We recommend doing this as little as possible. Only do this when there is a need, for example if sensitive data in certain subfolders has to be protected.
Access to ACL shares is already limited, making it usually unnecessary to change permissions on folders in the share.
Customizing permissions on folders requires good planning and a thorough understanding of the complex possibilities that NTFS permissions offer.
For new shares, the 'Domain Users' group has full control permissions on the root of the share. Domain Users is a general group that everyone is a member of. However, access to the share itself is limited to certain users or groups. Users who do not have access to the share can of course not see the contents of the share.
Best practices
There are many options for setting the permissions on an ACL Share. The way in which the permissions are structured on a share depends on the specific needs.
Some best practices:
-
Keep it as simple as possible!
Access to a share is already limited to, for example, only members of a department.
Only shield the sensitive data.
Only adjust the permissions on the first level folders, so the subfolders on the root of the share.
-
Avoid granting permissions to individual user accounts.
It is better to assign the permissions to Active Directory permission groups.
-
Organize the Active Directory groups according to the 'AGDLP' strategy.
-
Give users either 'modify' permissions or 'read' permissions.
It is better not to give users full control permissions.
Example procedure
The following procedure is a fictional example for department 'XX99' with an ACL share 'XX99Share' and shows how permissions can be set based on Active Directory groups.
-
Create role groups in Active Directory for the different teams of the department:
- XX99.GGU.Secretariat
- XX99.GGU.ResearchGroup1
- XX99.GGU.ZAP
To create groups in Active Directory you need an AD admin account ('Admin + login name').
You can then create groups and manage the members via 'AD Users and Computers' on Athena.
-
Create a permission group with all users who need access to the share.
- XX99.LGP.Share.XX99Share
Ask the helpdesk to give this group access to the share.
-
Create a permission group with all users who will have full control permissions on the share.
- XX99.LGP.Share.XX99Share.FullControl
-
Create a permission group for each subfolder in the root of the share.
- XX99.LGP.Share.XX99Share.TestMap to access the subfolder 'TestMap'.
-
Add role groups or users to these permission groups.
For example, make role group 'XX99.GGU.ResearchGroup1' a member of permission group 'XX99.LGP.Share.XX99Share.TestMap'.
Note: changes in group membership will only become effective from the next logon. -
Mount the share with an admin account:
If the share is located on 'ACLfiler':net use l: \\aclfiler\XX99Share /u:ugent\Admin<login>
If the share is located on 'Isilon': ACL shares:net use l: \\shares.isilon.ugent.be\XX99Share /u:ugent\Admin<login>
-
Set permissions on the root of the share.
The following commands ensure that users cannot create new folders in the root of the share.icacls "\\aclfiler\XX99Share" /grant "LGP.Share.XX99Share.FullControl":(OI)(CI)F icacls "\\aclfiler\XX99Share" /remove "UGent\Domain Users" icacls "\\aclfiler\XX99Share" /grant:r "UGent\Domain Users":(RX)
-
Create the subfolders on the root of the share and give the corresponding AD group modify permissions:
mkdir "\\aclfiler\XX99Share\TestMap" icacls "\\aclfiler\XX99Share\TestMap" /grant:r "UGent\XX99.LGP.Share.XX99Share.TestMap":(OI)(CI)M