Scalable Storage Policies, Share permissions and Storage design

Network Storage can quickly become a monster that you can’t control. Even in small companies that produce a lot of data. End users keep some data on their computer and some on the network. You create a share for every one to store important data on and instead they start throwing mp3’s and family photos up there! What to do, what to do? Well one thing to do is to build a scalable and manageable process

and force every one to follow it using security permissions. You can do this before you have purchased any hardware, in fact you should really think hard about getting something like this into place before you make any more plans for hardware. In many cases just having a good design can reduce your storage needs.

I had to deal with similar storage issues at a company I worked for in the past (and present); in fact it was a beast we tried to contain for several years through many different methods. We tried SRM (Storage Management applications, several of them) and more servers and 2 different storage vendors’ solutions, NetApp and EMC but in the end good design and policies solved it for us. We came up (my team and I) with the following plan and it solved a lot of problems for us, and this was a company with well over 40 terabytes of data online and locations around the world.

It worked like this: we broke our data storage into 3 parts (as related to end users)

Personal shares for work related data that each individual user gets, with a limit of 2 gigs per user.
Group data shares that were managed by the group but know one else had access to besides that group and sys admins.
Transfer drive that was used for temporary storage. Data that one user left for another. One location for the whole company. A script ran on this drive daily and deleted anything older than 30 days. Also it was placed on cheap storage that was not backed up; this is “volatile storage”.

All this would be located on NAS (Network Attached Storage)

Group Shares

Definition

“A data share located on the Network and accessible by employees. The share may contain personal/individual data (related to business) or group project data.”

Share Permissions

Permissions Template

Deviation from the templates is going to happen. It always does, but it’s best to try and keep as close to your plan as possible. To deploy permissions out of the standard “practice” scope you should ask for a solid business reason to be provided and keep that information in a spreadsheet or database.

Try not to mange permissions more than 2 folders deep; past 2 folders the customer should manage permissions with no performance guarantees.

Group Creation (See “Templates” further down for diagram)

New “Global groups” should be created for share access only if there is no existing group that will suffice.
Create new “Global groups” for share access for any share that dosent already have one. You will thank yourself later and if that share becomes "defunct" then you can easily delete the global group that went with it becuase they have the same name.

Personal Shares
No more than 2 gigs (unless it’s an exec, they always want more).
You can use scripts to keep these clean by having them “scan through” and delete anything with the *.mp3, *.avi, etc. Be careful though; this could backfire if a marketing person places the only copy of a commercial or something there with an extension you marked for deletion.

Transfer Drive or Share
This should be on cheap (low cost) storage. Remember you won’t need that much because your going to have scripts running and deleting any data older that say, 30 days, or even less if you choose. We had a 1200 person company using about 200 gigs.

Also you will not back up the “Transfer Share” as it is sold as “Volatile storage” for transfer purposes only.
Group Naming

All Group names will should be created by concatenating the share name with the permission level “sharename + (permission)”

EXAMPLE; if the share name is “FinanceDocuments” and the permission level for access is “read” then the name will be: “FinanceDocumentsRead”
Group Properties

Within the Group “properties” the following data should be listed:-

Contact – Primary and Secondary
Where does it exist? (location, server\drive)
Below you will find flowchart templates. These are what I used for instruction to the “Helpdesk” so when they received a request for a new share they could find the one that fit best and use that. This way share and permissions were kept consistent.