How to store comments (e.g. reasons) for filesystem permissions? [closed]












1















I am responsible for manageing filesystem permissions on bunch of a SMB/CIFS shares in a larger company. The NTFS allows me to add entries to the access control lists (ACLs), but I cannot attach background information.



All permissions have a reason. For example, my superior ordered me to give somebody from another department access to a folder. Currently, I am logging this kind of "access justification" in a Word document. Once in a while, I go through this document and compare it to the current ACLs, folder by folder.



Is there a better way to do this?



There should be a tool with a nice GUI where I can store the target ACL entries along with a link, ticket number or comment. The tool should be able to assist with comparing the target state with the real ACLs on the share(s). Bonus: It can run pre-defined test cases.










share|improve this question













closed as off-topic by music2myear, Moab, DavidPostill Jan 28 at 20:55


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions seeking product, service, or learning material recommendations are off-topic because they become outdated quickly and attract opinion-based answers. Instead, describe your situation and the specific problem you're trying to solve. Share your research. Here are a few suggestions on how to properly ask this type of question." – DavidPostill

If this question can be reworded to fit the rules in the help center, please edit the question.

















  • The best way to do this is the way that works for your environment. There is no "Best" way to document besides the way that works best for you. Word is perfectly acceptable.

    – music2myear
    Jan 28 at 17:24











  • What you're describing is the beginnings of a good Desired State Configuration Management system. A good DSCM will track ticket/work-order/change-request linking for why an approved change was slotted into the system, and it will lock the in-deployment settings to be a reflection of the starting condition plus all approved changes (someone messes up an ACL, no matter, during next DSCM run it will either revert the change or send the operator/administrator a warning). Such systems are super awesome on control, but require strong structure of your workflow to include them (rigidity is a feature)

    – Ruscal
    Jan 28 at 17:27











  • As Ruscal points out, a full DCSM is the end goal. One intermediate step I've taken is to only use Active Directory groups in the ACLs. That way, you can document the comments and reasons in the available fields in the AD objects.

    – Doug Deden
    Jan 28 at 19:00
















1















I am responsible for manageing filesystem permissions on bunch of a SMB/CIFS shares in a larger company. The NTFS allows me to add entries to the access control lists (ACLs), but I cannot attach background information.



All permissions have a reason. For example, my superior ordered me to give somebody from another department access to a folder. Currently, I am logging this kind of "access justification" in a Word document. Once in a while, I go through this document and compare it to the current ACLs, folder by folder.



Is there a better way to do this?



There should be a tool with a nice GUI where I can store the target ACL entries along with a link, ticket number or comment. The tool should be able to assist with comparing the target state with the real ACLs on the share(s). Bonus: It can run pre-defined test cases.










share|improve this question













closed as off-topic by music2myear, Moab, DavidPostill Jan 28 at 20:55


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions seeking product, service, or learning material recommendations are off-topic because they become outdated quickly and attract opinion-based answers. Instead, describe your situation and the specific problem you're trying to solve. Share your research. Here are a few suggestions on how to properly ask this type of question." – DavidPostill

If this question can be reworded to fit the rules in the help center, please edit the question.

















  • The best way to do this is the way that works for your environment. There is no "Best" way to document besides the way that works best for you. Word is perfectly acceptable.

    – music2myear
    Jan 28 at 17:24











  • What you're describing is the beginnings of a good Desired State Configuration Management system. A good DSCM will track ticket/work-order/change-request linking for why an approved change was slotted into the system, and it will lock the in-deployment settings to be a reflection of the starting condition plus all approved changes (someone messes up an ACL, no matter, during next DSCM run it will either revert the change or send the operator/administrator a warning). Such systems are super awesome on control, but require strong structure of your workflow to include them (rigidity is a feature)

    – Ruscal
    Jan 28 at 17:27











  • As Ruscal points out, a full DCSM is the end goal. One intermediate step I've taken is to only use Active Directory groups in the ACLs. That way, you can document the comments and reasons in the available fields in the AD objects.

    – Doug Deden
    Jan 28 at 19:00














1












1








1








I am responsible for manageing filesystem permissions on bunch of a SMB/CIFS shares in a larger company. The NTFS allows me to add entries to the access control lists (ACLs), but I cannot attach background information.



All permissions have a reason. For example, my superior ordered me to give somebody from another department access to a folder. Currently, I am logging this kind of "access justification" in a Word document. Once in a while, I go through this document and compare it to the current ACLs, folder by folder.



Is there a better way to do this?



There should be a tool with a nice GUI where I can store the target ACL entries along with a link, ticket number or comment. The tool should be able to assist with comparing the target state with the real ACLs on the share(s). Bonus: It can run pre-defined test cases.










share|improve this question














I am responsible for manageing filesystem permissions on bunch of a SMB/CIFS shares in a larger company. The NTFS allows me to add entries to the access control lists (ACLs), but I cannot attach background information.



All permissions have a reason. For example, my superior ordered me to give somebody from another department access to a folder. Currently, I am logging this kind of "access justification" in a Word document. Once in a while, I go through this document and compare it to the current ACLs, folder by folder.



Is there a better way to do this?



There should be a tool with a nice GUI where I can store the target ACL entries along with a link, ticket number or comment. The tool should be able to assist with comparing the target state with the real ACLs on the share(s). Bonus: It can run pre-defined test cases.







permissions file-management file-permissions acl






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 28 at 17:22









ManuelAtWorkManuelAtWork

1164




1164




closed as off-topic by music2myear, Moab, DavidPostill Jan 28 at 20:55


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions seeking product, service, or learning material recommendations are off-topic because they become outdated quickly and attract opinion-based answers. Instead, describe your situation and the specific problem you're trying to solve. Share your research. Here are a few suggestions on how to properly ask this type of question." – DavidPostill

If this question can be reworded to fit the rules in the help center, please edit the question.







closed as off-topic by music2myear, Moab, DavidPostill Jan 28 at 20:55


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions seeking product, service, or learning material recommendations are off-topic because they become outdated quickly and attract opinion-based answers. Instead, describe your situation and the specific problem you're trying to solve. Share your research. Here are a few suggestions on how to properly ask this type of question." – DavidPostill

If this question can be reworded to fit the rules in the help center, please edit the question.













  • The best way to do this is the way that works for your environment. There is no "Best" way to document besides the way that works best for you. Word is perfectly acceptable.

    – music2myear
    Jan 28 at 17:24











  • What you're describing is the beginnings of a good Desired State Configuration Management system. A good DSCM will track ticket/work-order/change-request linking for why an approved change was slotted into the system, and it will lock the in-deployment settings to be a reflection of the starting condition plus all approved changes (someone messes up an ACL, no matter, during next DSCM run it will either revert the change or send the operator/administrator a warning). Such systems are super awesome on control, but require strong structure of your workflow to include them (rigidity is a feature)

    – Ruscal
    Jan 28 at 17:27











  • As Ruscal points out, a full DCSM is the end goal. One intermediate step I've taken is to only use Active Directory groups in the ACLs. That way, you can document the comments and reasons in the available fields in the AD objects.

    – Doug Deden
    Jan 28 at 19:00



















  • The best way to do this is the way that works for your environment. There is no "Best" way to document besides the way that works best for you. Word is perfectly acceptable.

    – music2myear
    Jan 28 at 17:24











  • What you're describing is the beginnings of a good Desired State Configuration Management system. A good DSCM will track ticket/work-order/change-request linking for why an approved change was slotted into the system, and it will lock the in-deployment settings to be a reflection of the starting condition plus all approved changes (someone messes up an ACL, no matter, during next DSCM run it will either revert the change or send the operator/administrator a warning). Such systems are super awesome on control, but require strong structure of your workflow to include them (rigidity is a feature)

    – Ruscal
    Jan 28 at 17:27











  • As Ruscal points out, a full DCSM is the end goal. One intermediate step I've taken is to only use Active Directory groups in the ACLs. That way, you can document the comments and reasons in the available fields in the AD objects.

    – Doug Deden
    Jan 28 at 19:00

















The best way to do this is the way that works for your environment. There is no "Best" way to document besides the way that works best for you. Word is perfectly acceptable.

– music2myear
Jan 28 at 17:24





The best way to do this is the way that works for your environment. There is no "Best" way to document besides the way that works best for you. Word is perfectly acceptable.

– music2myear
Jan 28 at 17:24













What you're describing is the beginnings of a good Desired State Configuration Management system. A good DSCM will track ticket/work-order/change-request linking for why an approved change was slotted into the system, and it will lock the in-deployment settings to be a reflection of the starting condition plus all approved changes (someone messes up an ACL, no matter, during next DSCM run it will either revert the change or send the operator/administrator a warning). Such systems are super awesome on control, but require strong structure of your workflow to include them (rigidity is a feature)

– Ruscal
Jan 28 at 17:27





What you're describing is the beginnings of a good Desired State Configuration Management system. A good DSCM will track ticket/work-order/change-request linking for why an approved change was slotted into the system, and it will lock the in-deployment settings to be a reflection of the starting condition plus all approved changes (someone messes up an ACL, no matter, during next DSCM run it will either revert the change or send the operator/administrator a warning). Such systems are super awesome on control, but require strong structure of your workflow to include them (rigidity is a feature)

– Ruscal
Jan 28 at 17:27













As Ruscal points out, a full DCSM is the end goal. One intermediate step I've taken is to only use Active Directory groups in the ACLs. That way, you can document the comments and reasons in the available fields in the AD objects.

– Doug Deden
Jan 28 at 19:00





As Ruscal points out, a full DCSM is the end goal. One intermediate step I've taken is to only use Active Directory groups in the ACLs. That way, you can document the comments and reasons in the available fields in the AD objects.

– Doug Deden
Jan 28 at 19:00










0






active

oldest

votes

















0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes

Popular posts from this blog

Сан-Квентин

Алькесар

Josef Freinademetz