Versions Compared

Old Version 5

changes.mady.by.user Robert W Smyser

Saved on

compared with

New Version Current

changes.mady.by.user Oliver Thomas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Corrected links that should have been relative instead of absolute.

...

Server: a pc- and mac-compatible file-sharing environment, with group and individual permissions.  It needs to not be AFS, as security accidents are relatively easy there and the impact is usually to inadvertently share sensitive data files to the worldbe sufficiently secure to prevent spills of sensitive information on the web or otherwise.  The existing sparkler server, a windows server that exports to Macs and PC's natively, has evidently met the security test since it has all of IS&T's confidential information on it now.  AFS is also a possibility if administered carefully. 

Filespace:  assuming we use a server like sparkler, we would have a directory on that server that mounts as a drive letter on Windows and a desktop folder on the Mac.  Let's call it "CSS-managers"   We'd have essentially unlimited room inside the folder to store what we will, and the ability to carve off sections of it to have more restrictive permissions as needed.

...

Structure: We need a nested hierarchy of progressively more restricted folders, in order to preserve the security of salary data.  Team Leaders need to be able to see the salary data for their people, but not for those of any other team leader.   Managers need to be able to see all their TLs data, but may need to have data over of their own that the TLs cannot seeTLs must not see.  The FBC and the Director need to be able to see all. 

The overall design is intended to provide the most public access to group documents at the outermost level of the respective group.  Documents that show more specific detail about a single manager's area would be in a subfolder dedicated to that area.  Within that manager-specific folder would be more private areas for data that should be visible only to the director, manager, and a specific team leader.  Finally there is a most private area accessible only to the director and manager.  (The FBC is able to see into all areas and is understood to hold a position of trust.)

...

folder

likely contents

 

css-managers/

  1. Published version of the quarterly Budget and Financial Projections document for all of CSS, aggregated by manager.
  2. Operating Plan for the fiscal year
  3. Quarterly report submissions to the IST-VP's office
  4. Resource Model aggregated for all of CSS
  5. Run Book of Procedures for important systems, services, etc.

 


→ manager - area/

  1. Cost-object detail for quarterly Budget and Financial ProjectionsSummary financial materials specific to a manager's area, at a more-or-less detailed level, subject to sufficient security about salaries.    If more security were preferred, the material goes in the mgr folder.  Anne will work this out directly with the manager.
  2. Manager-specific Operating Plans, Client lists, whatever other mgrs or tls might also need to know about.
  3. etc.

 


→ → team leader area/

  1. Detailed salary information for the staff of the team leader and no others.
  2. Working financial document for identifying and explaining variances
  3. Resource Model worksheet for team leader's staff only

 


→ → manager-only area/

  1. Detailed salary information that should not be seen by any team leaders.
  2. Working financial document for identifying and explaining variances, including detail not to be seen by team leaders.
  3. Resource Model worksheet for team leader's staff only

 

 

...

Following the layout scheme above, the precise CSS file structure for the current teams and mangers might look something like this:

Proposed Implementation

[9/19/2006]: There were suggestions about the admin structure made by Oliver and others at the 9/19/2006 offsite that have led to updates in the Admin permissions column of the table below.  They are summarized here:

  • an administrator at the ./managers level can grant admin bits on otherwise-locked down folders at the levels below.  Bad.  So, the owners of the ./managers level will not have the administrative bit turned on.  The account of the director of CSS will have admin bits, so they can act to fix anything that might go wrong.
  • groups of individual kerberos ids as in the original example should be replaced with an acl that contains those names.  To wit, "othomas, goguen, jfw" would be assigned a list like "css-managers-help-admin"; then when membership changes, it's just the acl that is changed in one place, and its effects ripple throughout the system without further intervention.
  • similarly, we replace the principal of the director and the fbc with a list named for the role, populated by the principal of the incumbent.  To wit, css-director now holds 'jfw' but soon won't. 

Folder

Subfolder

(more folders)"

 

Likely Contents

Permissions

 

Read-Write Permissions would be granted
to these userids and groups

Admin permissions
to these userids / groups

managers/

css-managers/

 

 

 

 

css-managers, css-tl ,

css-hq director
  (jfw)

 

ditrhelp/  

 

 

css-managers, css-tl

css-managers-help-admin
(othomas, goguen, css-hq director)

 

 

callcenter/

fbaars,  goguen, othomas, css-director, abdenna

css-managers-help-admin team/ *

 

 

servicecenter/

chuckk legand, pepsikidgoguen, ndpopeothomas, jfwcss-director, abdenna

  css-managers-help-admin

 

 

mgr/

 

 

ndpope, jfw goguen, othomas, css-director, abdenna

 

 

help/ css-managers-help-admin

  

software

 

css-managers, css-tl

css-managers-software-admin
(jmhunt, css-hq director )

 

 

 

callcenterswrt/

 

 

fbaars,  goguen, othomas, jfw bowser, jmhunt, css-director, abdenna  

css-managers-software-admin

 

 

n42servicevsls/

 

 

legand, goguen, othomas, jfw jmhunt, css-director, abdenna

  css-managers-software-admin

 

 

mgr/

 

 

goguen, othomas, jfw jmhunt, css-director, abdenna

  css-managers-software-admin

 

dcadtcp/

 

 

 

css-managers, css-tl ,

css-hq  managers-tcp-admin
(jfw)

 

 

mgrdcad/ 

 

jlreed, jfw, css-director, abdenna

 

 

tcp/ css-managers-tcp-admin

 

 

 

usability/

jlreed, jfw, css-managersdirector, abdenna

css-managers-tl, css-hq  tcp-admin

 

 

pubs/

 

 

cwood, jfw, css-director, abdenna

  css-managers-tcp-admin

 

 

training/

 

 

kkibbee, jfw, css-director, abdenna

  css-managers-tcp-admin

 

 

atic/

 

 

maryz, jfw, css-director, abdenna

  css-managers-tcp-admin

 

 

mgr/

 

 

jfw, css-director, abdenna

  css-managers-tcp-admin

 

security/

 

 

 

css-managers, css-tl

css-managers-security-admin
(tjm, css-hq director)

 

 

 

mgr/  

 

tjm, jfwcss-director, abdenna

  css-managers-security-admin

 

hq/  

 

 

css-managers, css-tl ,

css-managers-hq -admin
(css-director)

 

 

mgr/

css-director, abdenna

css-managers-hq-admin

 

homepage/

 

css-managers, css-tl

css-managers-homepage-admin
(lisanti, css-director) jfw, abdenna

 

 

mgr/

lisanti, css-director, abdenna

homepage/ css-managers-homepage-admin

  

ditr/

 

css-managers, css-tl

css-managers-ditr-admin
(ndpope, css-hq director)

 

 

desktop/

chuckk, pepsikid, ndpope, css-director, abdenna

css-managers-ditr-admin  

 

  mgr/

admin-it/

chuckk, pepsikid, ndpope, css-director, abdenna

css-managers-ditr-admin

 

 

mgr/

lisanti ndpope, jfwcss-director, abdenna

css-managers-ditr-admin

 

mgrsonly/

 

css-managers-list

css-managers-all-admin
(css-managers-list)

* NOTE: the folder names are suggestions only; managers should have naming control within their folders within reason.  We suggest not using individual names instead of teams or roles.