8.9 Creating a Multi-Principal Collaborative Storage Policy

8.9.1 Overview

Storage Manager for Active Directory provides the ability to provision and manage folders that can be owned by multiple Active Directory security groups. Each group’s access to these folders is dependent on the security group object’s security principal. For example, one group’s access could be RO, another’s could RW, and another’s could be FUL. Based on their support for multiple security principals, these folders are known as “Multi-Principal Managed Paths,” and they are issued through “Multi-Principal Collaborative Storage” policies.

Multi-Principal Managed Paths are owned and accessed by security groups with the same group prefix name separated by a suffix separator, and then distinguished by a unique security separator. In Figure 8-6 for example, the managed path Group1 is owned by both Group1-RO and Group1-RW, with the members of each group having Read Only and Read Write permissions respectively.

Figure 8-6 Example of a Multi-Principal Managed Path

8.9.2 Group Naming Parameters

Security groups that own and access a Multi-Principal Path must be in the Group_Prefix_Name-Security_Suffixformat. In Table 8-1, the naming components of the security group names in Figure 8-6 are identified.

Table 8-1 Components of Security Group Names Owning and Accessing Multi-Principal Paths

Group Prefix Name

Suffix Separator Character/Sequence

Security Suffix

Group1

-

RO

Group1

-

RW

The group prefix names cannot be different. For example, you cannot have Accounting-RW and Sales-RO groups managed by a Multi-Principal Collaborative policy against the same managed path. Multiple groups are considered to be participating in the security of the managed path if they have the same group prefix name up to the well-defined suffix separator string. The suffix separator can be a character or a string of characters and is configured in a Multi-Principal Suffix Mapping Action Block.

8.9.3 Multi-Principal Collaborative Policies

The change in paradigm to support Multi-Principal Managed Paths requires the introduction of a new Multi-Principal Collaborative policy type. The policy follows the standard association rules to support effective policy calculation. This means that the policy can be associated to a container or directly to security groups.

The new policy type provides the ability to link to a Multi-Principal Suffix Mapping Action Block where the separator character or string sequence that differentiates the group’s name from its security suffix.

8.9.4 Multi-Principal Collaborative Events

To handle the constraints on the managed path imposed from multiple security principals managing a folder, new provisioning and de-provisioning events have been introduced. The primary reason for this is that provisioned managed paths for the Multi-Principal Collaborative policy can be thought of as referenced-counted based on the number of participating security groups. For instance, if Group1-RW, Group1-RO, and Group1-A all have active ACEs on the managed path, then the reference-count for the managed path is 3 and deletion of only one of these groups does not imply deletion of the folder as a whole. Rather, when any given security principal is deleted or moved out of policy scope, the corresponding event needs to scan the corresponding Active Directory container to look for the presence of any other groups by the group name prefix. If none exist, then the folder can potentially be scheduled for cleanup, otherwise no action is taken, except for when the ACE is removed.

Similarly, for provisioning, the first group for which an event is received would be responsible for creating the folder based on the group name prefix and assigning its respective rights. Any other events for complimentary groups must perform the equivalent of an apply permissions (ACE) in order to populate their respective transform entries. This allows for a flexible implementation that does not require a base security principal to be created first.

8.9.5 Create a Multi-Principal Collaborative Storage Policy

Prerequisites

  • Structure Active Directory in a logical manner for the new groups that you will be creating.

    For example, a manufacturer of automotive parts that distributes parts to Germany, Japan, and the United States might structure their Active Directory domain as follows:

  • Structure your network file system so that there is a storage area that will host the collaborative storage for the new groups.

    Using the auto parts manufacturer example, the file system might look like this:

Create a Multi-Principal Suffix Mapping Action Block

This procedure lets you standardize the groups and their associated permissions for the collaborative storage folders that will be provisioned by Storage Manager.

  1. In SMAdmin, click the Home tab.

  2. Click Action Blocks.

  3. From the Manage menu, select New > Multi-Principal Suffix Mapping.

  4. Enter a descriptive name for the new Action Block and click OK.

    Using the auto parts manufacturer example, the Action Block might be named something like Auto Storage.

    The following page appears:

  5. Click Add.

  6. In the Security Suffix column, highlight SampleSecuritySuffix and edit it to a more descriptive name of a group that will access the collaborative storage folder.

    For example: Shipping.

  7. Click the Full Control setting to access a drop-down menu of access permissions.

  8. Specify the permissions for the particular group and click OK.

  9. Repeat Step 5 through Step 8 to create all groups and permissions to the collaborative storage folder.

  10. Click Apply.

  11. Click OK.

Create a Multi-Principal Collaborative Storage Policy

  1. In SMAdmin, click the Home tab.

  2. Click Policies.

  3. In the Manage menu, select New > Group Multi-Principal Collaborative.

    The following dialog box appears:

  4. Specify a descriptive name in the Name field and click OK.

    For example, Auto Manufacturers.

  5. Proceed with Setting Policy Options.

Setting Policy Options

  1. Verify that the Process Events for Associated Managed Storage check box is selected.

  2. Verify that the Policy applies to subcontainers check box is selected.

  3. (Optional) Enter an expanded description of the policy in the Description field.

  4. Proceed with Setting Associations.

Setting Associations

  1. Click Associations.

  2. Click Add.

  3. In the browser, locate the organizational unit where the group objects will reside and drag it to the right pane.

  4. Click OK to close the browser.

  5. Proceed with Setting Provisioning Options.

Setting Provisioning Options

  1. Click Provisioning Options.

  2. Click Link Action Block, select the Action Block you created earlier, and click OK.

  3. In the Path Owner region of the page, click Browse and browse to specify an owner of the all of the collaborative storage folders that will be created with this policy.

  4. (Optional) In the Template Folder region, click Browse to specify a template for the collaborative storage folders that will be created by this policy.

  5. Proceed with Setting the Target Path.

Setting the Target Path

  1. Click Target Paths.

  2. In the Target Paths region of the page, click Add.

  3. In the browser, locate the share or folder where the collaborative storage folders will reside and drag it to the right pane.

  4. Click OK to close the browser.

  5. Click Apply.

  6. Proceed with Setting Cleanup Options.

Setting Cleanup Options

  1. In the Vault on Delete region, select the Enable check box.

  2. Click Browse.

  3. In the browser, locate the share or folder where deleted folders will be archived once all of the groups that own a collaborative storage folder have been deleted and click OK.

  4. Click Apply.

  5. Click OK to close the Policy Editor.

  6. Proceed with Testing the Policy.

Testing the Policy

These procedures let you verify that the policy is functioning as you designed it.

  1. In one of the organizational units associated with the new Multi-Principal Collaborative Storage policy, create a new group that includes a - and one of the security suffixes you established earlier.

    Using automobile manufacturers as an example, you might create a new BMW-ACCOUNTING group.

  2. In the same organizational unit, and using the same group prefix name and suffix separator, create additional groups for each of the security suffixes you created earlier.

  3. Using File Explorer, verify that each of the collaborative storage folders were created.

  4. While still in File Explorer, verify that the permissions for each of the groups are correct.

  5. Once you have verified that the Multi-Principal Collaborative Storage policy is creating collaborative storage with the correct access permissions for the various groups, create the remaining groups in all of the organizational units associated with the new Multi-Principal Collaborative Storage policy.