There may be ways you can restrict non-administrators from changing permissions, depending on your SAN software. In MS Windows there is a "change permissions" security flag on folders. Your SAN may or may not support that. In NFS only the owner can change permissions, so make the owner an admin and use groups to control customer access. I don't recall if NFSv3 supports extended ACLs with multiple groups.
On Fri, Sep 6, 2013 at 9:36 AM, Tim Kirby <[email protected]> wrote: > Consider a large amount of NAS storage ... > > (lets say tens of TB, for arguments sake; I consider that > large even though I know there are many folks out there > dealing in PB... that's not currently my problem :) > > ... and said storage is accessible via both NFS (mostly > NFSv3) and CIFS (direct through the NAS, not Samba). > > Control of access to this data is a perennial problem. > There are areas that need to be protected for various > reasons, obviously. Despite all best efforts to the > contrary, the population of users in this space will > insist on changing permissions and ownership of data > with little consideration for the implications of same. > > The question, then, is ... are there any good tools, be > they OSS or not, that perform permission mapping of data > for either or both NFS and CIFS ? I'm not even clear in > my mind what I would expect it to look like, but I have > this irrational hope/wish/fantasy that there is something > out there that would help manage the access controls. > > I suppose one model might be a simple 'tripwire' approach, > wherein one forces everything to be 'right' and then scan > for variances, but I suspect that's bordering on impractical. > > So, open for general discussion, really. I'm staring at a > blank sheet of paper right now and looking for inspiration. > > No regulatory controls to help, unfortunately. While they > can be a royal pain, sometimes they are really useful to > put structure around the amorphous... > > Tim > -- > Tim Kirby [email protected] > > > > > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- Perfection is just a word I use occasionally with mustard. --Atom Powers--
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
