vGroups: Folders, Groups, Maps and the Storage Container

Data storage for each faculty is kept on a "shared and home directory" server. The faculties are kept separate by creating a folder at the root that uses the same name as the faculty DNS name. This way the smaller faculties can share a server and still have separate file space. The sum of the disk quota for each faculty must not not exceed the volume capacity.

The faculty share is divided into three areas; global, home and shared.

The shared folder has a Temp subfolder that allows a small amount of temporary storage for anyone for within the faculty.

At that same level there is a folder for each of the OUs within the faculty that contains users. Again, each of the users with the OU has the rights to write to the Temp folder. All the other folders adjacent to the temp folder correspond to groups.

Group membership is the mechanism by which file system rights are issued to users. As a general rule, individual users will not be given explicit rights to any part of the shared area.

Groups are located within the OU that contains the majority of their members.

Each group has the rights to write to the corresponding folder. An inherited rights filter prevents those users who are not group members from seeing anything other than the groups to which they have rights.

The groups are created by ITS via script files that fill in all the required details and cross references for the groups, folders, folder rights, inherited filters, directory maps, guest groups and eDirectory trustee rights.

To aid in the location and mapping of the available folders within a faculty, directory map objects are created. These maps are located in the faculty storage container. Their names correspond to the folders they refer to.

In addition, the storage container is the location for groups that have guest (read-only) rights to all folders within the faculty.

The groups in the user container and in the storage container have their %SEE_ALSO set to the directory map they are related to. This means that the choice of valid values for the user account %SEE_ALSO can be selected from a list of the groups the user can see.

As folder rights and eDirectory trustee rights are only issued to the groups objects and there are inherited rights filters in the folder tree, a user can only see the groups and folders that they are members of. They can only read the content of folders they are in the guests group. Group membership can be maintained via use of the mdsTool via LDAP.

When a user logs in, the value of the %SEE_ALSO property is used to map the V: drive. Because of the rights structure and the hierarchical design the user can see all the faculty areas to which they have rights via just one drive mapping.