How do you enable/handle NTFS permissions requests?

SomewhereinSC · 2021-10-21T17:33:09.000Z

I’ve read this old thread (below) and it has the normal responses about emails or forms but I was hoping someone out there has an automated method I have not found that would allow the supervisor to choose the folder from a list (think browse button to share), then choose the users they wanted to add (another browse button to choose users) etc… Anyone?

How do you handle permission requests? Best Practices & General IT

We used to get users submitting requests to be added to ABC and XYZ group, not supervisors mind you, just end users. I used to grant the requested network permissions, until I got burned one day when a supervisor who authorized john Q User to have access to that ABC folder. So now I have a form that lists all of the available security groups. When John Q User needs access to a particular folder I tell the to have their supervisor fill out the form, sign it and return it to me. I process the fo…

Does Varonis or Netwrix have this type of functionality?

@Netwrix

GDaddy · 2021-10-21T17:51:18.000Z

You could the a group to the Folder/Share in question. Put that Group into an OU, take your Department Heads or whoever, Give them rights to just that OU to add and remove members to the Groups. That would then do what you are asking. They would go into ADUC to do the work, but there are some third party applications that could produce an ok GUI for them to use.

This tool may work for you, have not tried it. but have used his other tools, and they work well.

cjwdev.com

Cjwdev | Group Manager

Cjwdev Group Manager allows end users to edit group membership for any security or distribution groups that they are assigned as the manager of in Active Directory

EDIT: for me i would rather control who is in groups and not hand it off to users. If someone asks me to add them to a folder, i make sure i get their Manager’s permission in writing (email). If a manager asks me to add them to a folder, i would make sure i got their superior’s approval or the folder’s manager(owner/supervisor) permission before adding. No body is added unless someone else gives the ok.

Gary-D-Williams · 2021-10-22T06:26:17.000Z

In the past I’ve handled this by having three groups on each share, read only, read-write, management - members of the management group had the rights to add and remove people in the read-write and read only groups.

This wasn’t an automated setup but could be done in powershell.

SomewhereinSC · 2021-10-22T09:41:15.000Z

Maybe my wording was sloppy, as absolutely want to keep control of adding/removing perms. I wanted to make it easy for requestors to input the needed folder and user. IT folks do not think twice about a copy/paste of the File Explorer bar to show a folder location but telling users to do it or to type out home\dept\foldera isn’t always easy…

GDaddy · 2021-10-22T10:23:12.000Z

That is alittle tougher, i would make some form, HTML, Outlook, or something like that. Give the users Field to type in what they want, you can make some fields required. Give them a box for folder name, department, type of access (bullet or dropdown), more or less the info you need in a way they can relate to. You could get really fancy and have a button that will take a screenshot and save it to a directory of your choosing. Not sure what you have for existing infrastructure to support a Form, like Sharepoint, an ECM system, an Intranet page or similar.

ryan-netwrix · 2021-10-22T11:53:58.000Z

Actually, this task is quite unusual, I even had to investigate it with my colleagues. =)

But we do have options to pull this off using Netwrix SbPAM solution:

It’ achievable by using the “Add User to Domain Group” action step in an SbPAM activity – definitely a common workflow to give a user elevated permissions via AD group membership during an SbPAM session. Of course, this will require you to create domain groups with access to certain resources.
Another option is Powershell - you could use the custom powershell step in the pre-session and post-session with the smb cmdlet to dynamically add / remove permissions.

@keithemery

SomewhereinSC · 2021-10-22T12:03:20.000Z

Ryan (Netwrix):

Actually, this task is quite unusual, I even had to investigate it with my colleagues. =)

But we do have options to pull this off using Netwrix SbPAM solution:

It’ achievable by using the “Add User to Domain Group” action step in an SbPAM activity – definitely a common workflow to give a user elevated permissions via AD group membership during an SbPAM session. Of course, this will require you to create domain groups with access to certain resources.

Another option is Powershell - you could use the custom powershell step in the pre-session and post-session with the smb cmdlet to dynamically add / remove permissions.

Based on replies (your’s and above) my OP was not clear. I was looking for ideas or examples of how IT admins let data owners asks for permission changes. To further explain we have the shared data drive with folders that have assigned owners and backup owners, these owners are the only people allowed to ask for permission changes (READ/CHANGE). I was looking for a streamlined method that would allow the owners to more easily choose the folder they wanted to add a user to and also choose the user in the form or method to inform IT of the request. IT is the only person adding users to these READ/CHANGE groups for shared data folders.

ryan-netwrix · 2021-10-22T14:06:45.000Z

SomewhereinSC:

Based on replies (your’s and above) my OP was not clear. I was looking for ideas or examples of how IT admins let data owners asks for permission changes. To further explain we have the shared data drive with folders that have assigned owners and backup owners, these owners are the only people allowed to ask for permission changes (READ/CHANGE). I was looking for a streamlined method that would allow the owners to more easily choose the folder they wanted to add a user to and also choose the user in the form or method to inform IT of the request. IT is the only person adding users to these READ/CHANGE groups for shared data folders.

@keithemery , in that case, check File System Auditing with StealthAUDIT . StealthAUDIT allow you to implement governance workflows like Entitlement Reviews and Self-Service Access Requests to safely provide data custodians the ability to control access to the data they own and end-users the ability to request access to the data they need.