One of the newer topics in Identity Management is the Enterprise Entitlement Management. This term describes approaches for a centralized management of the low-level entitlements (e.g. access controls) on system level from a central perspective.
That seems to be pretty complex. How shall you ever manage file server ACLs from a central tool in an efficient manner? Or other tools? Yes, it isn't that easy to solve. But bring in services and you're much closer to a solution - not only for entitlement management, by the way.
Think about abstracting file server resources as services (which is, by the way, not that different from shares in the Windows world). Users will understand services - a service provides the ability to store and retrieve their contracts or their personal files or their blueprints or their drafts of new marketing materials or... A service is simple to manage from a security standpoint: No access, read, write, do everything - or something like that are the relevant rights.
Services are easy to handle in accounting. Their might be restrictions like quotas applied on the service level. And managing entitlements on that level is not that complex - that can be mapped to concepts in the Enterprise Authorization Management pretty easy.
You might argue that the file system still has to be locked down. No problem - as long as you can access it only through services. There might be different overlapping services for the same resources. Administrative shares in Windows are one example for that. If that isn't sufficient, you can still use ACLs - and the services might act as specific operating-system services which bypass that security level or (like today in Windows) combine their security settings with the operating-system level settings. The latter is pretty complicated and somewhat overengineered. From my perspective, a consequent service approach might be sufficient.
To add some web services for file system access might be helpful - but it isn't mandatory. A service is not necessarily a web service. In fact, everything you need for such an approach is available. Some things might be improved. But with a service-focus for file server services, security is easier to manage and to audit.
Subscribe to our Podcasts
How can we help you