Creating a shared network directory

IT services create a shared network directory for an organizational unit file repository on a network drive. The path to such a shared network directory is usually provided in the form of:

\\server\share

The example discussed here uses:

\\NETWIN\CESD

Network users with the appropriate permissions can map such a shared network directory to a drive letter, which then appears as a separate drive to the users. The organizational repository discussed here used as file system NTFS - Microsoft's New Technology File System. More information on NTFS is available from the Start -> Help and Support menu and your local computer, or from the Microsoft TechNet web site. Search for NTFS in both resources.

IT services makes incremental backups of the NETWIN server every day from Monday to Thursday, and a full backup on Friday. The retention time of backups is one year.

Mapping a shared network directory to a drive letter

Users can map a shared network directory to a drive letter. This is done using Windows Explorer -> Tools -> Map Network Drive ...

In the example below, the server name is NETWIN and the shared network directory is CESD. For convenience, the checkbox reconnect at logon should be ticket so that the shared network directory is available automatically under the chosen drive letter. All users with a OU may want to use the same drive letter for their OU file repository.

The direcetory CESD then becomes the root directory of the CESD file repository.

File repository overview

The objective of the structure of this repository layout is to minimize permission management, but at the same time allow for the integration and separation discussed in detail here. There are only three levels of permissions management and actions (adding, modifying and deleting folders and files).

• At the OU repository root (level 1), permissions are managed and actions are performed by repository administrators (ITS, CRIL).
• At the root level of a group branch (level 2), permissions are managed and actions are performed by the respective group leader, or alternatively by a repository administrator.
• Within a group member branch (level 3), actions (adding, modifying and deleting folders and files) are performed by the respective group member.
• The OU head has read access to the entire repository.
• A group leader has full control within his/her group branch.
• All members of a group have read access to their entire group branch.
• Group members can modify the content of their respective branch within their group.
• Permission are managed directly for individual users, with the exception of groups (administrators, domain users) that are managed by ITS. This is not according to textbook recommendations, but it allows greater transparency and independence for OU's and research groups.
• Ultimately, the entire OU repository management should be performed by designated OU staff.

Permissions for the OU root

Initial NTFS setup

The following setup for the entire repository is provided by ITS:

• The root directory does not inherit any permissions.
• Administrator group - Full control: applied to folder, subfolders, and files
• additional administrator (Thomas Metz) - Full control: applied to folder, subfolders, and files

Additional NTFS permissions

The following additional permissions to the root folder were set by the additional administrator (Thomas Metz):

• additional administrator (Emmali Manalo) - Full control: applied to folder, subfolders, and files
• Domain Users group - Read permission: applied to folder and files
• OU head (To Phuc Tuong) - Read and execute permission: applied to folder, subfolders, and files

Administrator permissions - details

Administrators (Group, T Metz, E Manalo) have full control applied to the CESD root folder, subfolders, and files. The permissions are not limited to the CESD folder and they are therefore inherited throughout the entire directory and file structure of the CESD repository.

Domain Users group permissions - details

All users with a local network account are in the Domain Users group. These users have read permission applied to the CESD root folder and files. The permissions are limited to the CESD folder and they are therefore not inherited throughout the entire directory and file structure of the CESD repository.

Domain users can enter the CESD root directory, list all subfolders and files, and open files located in the CESD root directory. Domain users cannot enter subfolders and they cannot add, modify, or delete files or directories in the CESD root directory. An analogy would be to being allowed to enter the lobby of a building, reading the directory of occupants, but requiring further permissions before entering other parts of the building.

OU head permissions - details

The OU head (To Phuc Tuong) has read permission applied to the CESD root folder, subfolders, and files. The permission is not limited to the CESD folder and it is therefore inherited throughout the entire directory and file structure of the CESD repository.

The OU head can see the entire directory and file structure of the CESD directory, can read any file but cannot add, modify, or delete files or directories in the CESD repository.

Note: The OU head has additional permissions in his section of the CESD repository.

Permissions for a group leader branch

Each group leader has his/her own branch in the OU file repository. A group leader branch starts as a subdirectory to the CESD root directory. At this subdirectory level, additional permissions are set for the group leader and the members of his/her group.

In the example group leader branch (BBouman), the permissions of the Administrators, the additional administrators (T. Metz, E. Manalo), and the OU head are inherited automatically from the CESD root directory.

Additional permissions are set for the group leader (example: Bas Antonio Bouman) and members of his research group (example: Ambrocio Castaneda, Christine Kreye, Rubenito Lampayan, ...). At this level, a group leader is given full control and therefore becomes an administrator of his/her respective group branch in the repository. Group members are given read/execute permissions for the entire group branch.

Group leader permissions - details

Group leaders (example: Bas Antonio Bouman) have full control of their branch root folder, subfolders, and files starting from their branch of the repository. The permissions are not limited to their branch root folder as they are automatically inherited throughout their entire branch directory and file structure. Group leaders effectively become administrators of their branch in the file repository.

Group member permissions - details

Group members (example: Ambrocio Castaneda, Christine Kreye, Rubenito Lampayan, ...) have read/execute permissions applied to the group branch root folder, subfolders, and files in their group branch of the repository. The permissions are not limited to their group branch root folder and they are therefore inherited throughout their entire group branch directory and file structure. Read/execute permissions allow group members to open files and execute programs, but not to add, modify or delete folders and files in their branch. Group members also cannot set or change user permissions.

Permissions for a group member branch

Within a group branch, group members may have their own sub-branches. At this subdirectory level, additional permissions are set for the group member owning the branch.

In the example group member branch (ACastaneda), permissions of the Administrators, the additional administrators (T. Metz, E. Manalo), the OU head (T.P. Tuong), the group leader (B. Bouman), and the group members (A.Castaneda, C. Kreye, R. Lampayan, ...) are inherited automatically from the Ou repository root directory (V:\) and the group root directory (V:\BBouman\).

Group member permissions - details

The group member owning the branch (example: Ambrocio Castaneda) have modify permissions applied to the group member branch root folder, subfolders, and files in their group member branch. The permissions are automatically inherited throughout their entire branch. Modify permissions allow the owner group member to add, modify or delete folders and files in their entire branch.