Skip to main content Skip to navigation
Washington State University CAHNRS Information Technology

Ending support for nested permissions

When does support end?

Beginning FY17 (7/1/2016) CAHNRS IT will end support for nested permissions on the file shares that we manage for our colleagues around the college.  For many users there will be little to no impact on how you use your file shares, while for others there will be a significant change in how your data is structured and how you access your data.

What are nested permissions?

Nested permissions are when sub-directories within a shared folder have different permissions from the root of the file share.  For example consider a file share named Admin, and within that file share there were two folders, Finance and Personnel.  If the users who had access to Finance were different than the users who had access to Personnel, then these folders would have nested permissions, or permissions that differed from their parent folder Admin.

What is wrong with nested permissions?

Nested permissions add substantial complexity to the management of file shares.  Each layer of permissions in a directory structure increases the amount of time it takes to apply new permissions and verify that files are properly secured.  To determine if someone had access to a folder that is nested ten layers deep, you would have to analyze ten different sets of permissions, and ensure that the user had appropriate permissions in all permission sets.

This complexity often prompts the use of nested file shares to help side step these problems.  This is the practice of creating file shares within file shares, so you can provide direct access to nested folders.  However this creates its own set of challenges, including the ability for users to create nested directories that exceed their systems maximum path length, rendering them unable to access all of their data.

Another downside to all of this complexity is that it hinders both our ability to ensure the security of your data, and our ability to rapidly resolve issues.  The more complex a system is, and in this case the more complex a permission structure is, the less confident you can be that only the people who should have access to the data, do.

Why is this change happening now?

The first reason this change is happening now is that it coincides with the roll out of our new storage platform.  This gives us an opportunity to implement best practices that will ensure we can efficiently meet your storage needs for years into the future.  The migration to this new platform was also fraught with many challenges, in large part due to problems created by nested permissions.  The challenges of this migration served to underscore the need for new file storage policies so that when the next migration occurs years down the road, the college won’t be impacted the way it was during this migration.

Additionally, it is no secret that the college is trying to become more efficient administratively.  Between the budgetary reallocation and our drive to lower costs for our customers, we simply cannot afford to spend time unproductively.  Given the time involved in managing and fixing complex nested permissions or file shares, we just can’t continue to support them without either raising rates, or removing other services.

What will happen to file shares with nested permissions on 7/1/16

All file shares will continue to work as they currently do, and we will not be taking any action that will change permissions on any file share.  However, after 7/1/16 when we receive a request to update permissions on a nested file share, we will not be able to process the request without some changes.  The two most common uses of nested file shares, and how we will handle permission requests on them, are as follows.

Changes to user subdirectories

For those who have departmental file shares with subdirectories for each faculty or staff we would encourage that the user in question migrate their data over to their official CAHNRS home directory (https://spiceworks.cahnrs.wsu.edu/portal/kb/local/3).  If a user needs more space than what is provided for free, additional space can be purchased (http://it.cahnrs.wsu.edu/storage-services/), or quotas can be shifted from the file share to the home directory.

Changes to project or group subdirectories

If you need to make changes to a group directory our recommendation will be to create a new stand alone file share for use by the group or project.  We can transfer a portion of the quota from the existing file share to provide space for the new file share, or new space can be purchased.

Please remember that this will only be necessary in the case where subdirectories would need different permissions than the root of the file share.  For the majority of users this will not present any change in how you manage your file shares or data.

If you have any questions or concerns please contact the IT Support group by sending an email to cit.support@wsu.edu.