G Drive Best Practices

Purpose

To address shared drive best practices for access control, ownership, and audits.

Scope

Establish best practices to manage shared folders, such as the G:\ drive (Global College Share), S:\ (used at GBTC), and P:\ (used at AMIL).

Responsibilities

  • Folder Owners - Responsible for securing their shared folders by managing access of folders for their area(s) to allow only minimal permissions.
  • Users - Responsible for managing the documents stored in shared folders; users may create, copy, or delete files within a shared folder.
  • G:\ Disk - Work with folder owners to manage and secure all shared folders. IS will provide recommendations for folder structures and permissions. Cloud and Endpoint Solutions staff perform annual audits and update permissions based on folder owner feedback.

Managing, Auditing, and Reporting Information

Information Services uses Varonis to manage and audit all shared drives. The following provides best practices to mitigate problems with user access and audits.

  • Groups: When providing access, logical groups are defined and individuals are added to the group. Privileges are assigned to groups.
  • Permissions: Groups and individuals can have either read/only or read/write access.Inheritance: Inherited permissions are those that are propagated to a folder from a parent folder.
  • Inheritance: Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
  • Reporting available through Varonis: The Varonis tool gives IS the ability to do active directory auditing and reporting. The auditing and reporting feature gives insight to folder ownership, permission modification to folders, and many reporting features to assist in managing the shared drive and active directory.

Best Practices

  • Path name limits: Be mindful of Microsoft’s 255 character limit for path names. Folder owners should choose folder names that are abbreviated or names that are as short as possible due to the character limitation set by Microsoft.
    • The path to a specified file consists of one or more components, separated by a special character (a backslash), with each component usually being a directory name or file name. Example: G:\aa\bb\cc\dd\ee. In this example, there are 10 characters out of the 255 allowed. If the path name is longer than 255 characters, you can no longer move the folder.
    • Folder structure limitations: Due to the limitation of managing and auditing tools, it is recommended to not go more than 6 layers deep in the folder structure. It is recommended that more folders be created instead of embedding folders in within folders. Create a folder structure with a “wide” approach to the file structure instead of a more “deep” approach.For instance, it is best practice to create more folders under the root of the G folder as shown in example A. Currently some file structures under the root folder have 3 – 10 folders at the 3rd level and then many folders under those folders (as far as 14 layers deep). As you go down in depth, you run the risk of going past the recommended 6 layers deep. Even though our file structure goes to 14 levels deep in some areas, this is not best practice and it has caused issues when running reports through tools like Varonis. Example A is the recommended file structure.
    • Folder Naming Conventions:
      • No user names should be used for folder names, ex. John Smiths files.
      • Use logical abbreviations when warranted to adhere to Microsoft’s 255 character limitation for path names.

Example A: Recommended – stops at 6 layers in depth

  • Move vs copy: Due to permission issues with either moving or dragging folders to a new location, it is best to copy the folder to the new location and then delete the folder from the old location on the shared drive.
  • Permissions: When requesting permissions for a user; give users minimal access to shared folders by requesting read only permissions if possible. Read/write permissions are for groups/users who need to save, write, or modify documents in that folder.

Procedures for Folder Owners:

  • Folder owners provide written requests for folder creation and/or to request access for users.
    • Supply name of folder to be created, following best practices for folder structure and naming conventions. 
      • List the users to be given access to the folder and identify whether the user needs read only or read / write access. 
  • Folder owners will provide written request for folder deletions and/or remove access.
  • Folder owners will provide feedback from the shared audit responses via email with deletions, modifications, additions or no changes needed.

Supervisors other than Folder Owners

  • When requesting access to folders for your staff to the G:\ drive:
    • Obtain folder owner approval and then forward the email approval with the permissions requested to the Technical Service Desk.
    • If the folder owner is unknown, the G:\ Disk Administrations will work with you to determine the folder owners.
    • Ask for the most minimal permissions that will allow the users sufficient access complete assigned tasks.

Definitions

  • G:\ Disk Administrators: Cloud and Endpoint Services staff responsible for the ongoing monitoring and permissions of the Global College Share, G:\ drive.
  • Root: a folder at the 1st level of the shared drive, ex. (G:\IIT) The folder labeled IIT would be considered the root folder on the shared Drive G.
  • Shared folder: a folder that has been available to more than one user on a shared drive.
  • Shared Drive: a disk drive that shares files with users on the network.

Print Article

Attachments (0)

No attachments found.