Groups and their role in regulatory compliance - Part 2
Follow-up to part 1 discussing Groups and their role in regulatory compliance.
Let's now see those groups we talked about in Part 1 in action. You might want to review the Group memberships found in the later part of Part 1 and see which user(s) belong to which group.
Ready? Let's begin.
At the start of the day, Joey logs in to his company's MFT server using AnyClient and uploads to his home directory a file named "payroll201805.doc".
He then navigates to the "allgroups" directory and uploads a file named "Spreadsheet risk issues.doc".
Later on, Maria logs in to the same managed file transfer server using her own copy of AnyClient. She doesn't see "payroll201805.doc" because that file was stored in Joey's home directory.
She proceeds to the "allgroups" directory, where she sees the file "Spreadsheet risk issues.doc". Intrigued by the name of the file, she attempts to download it. Unfortunately, the server denies the request. Remember that, like Joey, Maria belongs to the Uploader Staff group and members of that group are not allowed to download anything from this path.
From his office many miles away, Steven logs in to the same server. Like Maria, he doesn't see Joey's "payroll201805.doc" but sees "Spreadsheet risk issues.doc" in the "allgroups" directory.
But unlike Maria, when Steven tries to download the file, the managed file transfer server grants the request.
Steven opens, reviews, and edits his newly downloaded copy of the "Spreadsheet risk issues.doc" file. He thinks of replacing the copy on the server with his own edited copy. But when he tries to delete the copy stored in the "allgroups" directory, his request is denied.
Unperturbed, he renames his edited copy to "Spreadsheet risk issues v2.doc" and tries to upload the file instead. That request is denied as well.
He then asks his buddy, Doug, to come over to his workstation and perform the upload for him. Doug logs in using his own user credentials. But since he too is a member of the Downloader Staff, his attempt to upload to the same path fails as well.
Later in the evening, someone from the company logs in to the managed file transfer server, navigates to the "allgroups" directory, and downloads the "Spreadsheet risk issues.doc" file.
That person then makes changes to the contents of the file, deletes the original copy on the server,
and replaces it with the edited copy.
How is it that this person is able to download, delete, and upload files to the "allgroups" directory? Because this person is Danika and she belongs to the Super Staff group.
Did you notice the many security implications in those very simple scenarios? Groups can help you enforce stronger security but it's really up to you to plan out your groupings to make this feature really effective in enhancing security.
Building those groups in JSCAPE MFT Server
Now, I would like to show you how I created those groups, assigned users to them, and set each group's permissions.
To create the Uploader Staff group, I launched my JSCAPE MFT Server Manager, navigated into a domain, and then opened the Groups section. Once there, I clicked the Add button.
I was then brought to the Add Group dialog box, where I entered the name of the group, the virtual path of the group, and its real path. When I was done entering, I clicked OK.
I followed the same process to create the other two groups.
Notice how I made the Path and Real Path entries the same for all three groups. That's because, in this particular scenario, we wanted our groups to share the same directory but have different permissions to it. It doesn't have to be that way with your other groups. Different groups can have different paths and real paths.
Here are all three groups as seen from the main screen.
Having already created all three groups, I set out to assign permissions to them. I started by selecting the Uploader Staff from the list of groups and then clicking Edit.
I then selected the path and clicked Edit.
Once I got to the Edit Virtual Path dialog box, I clicked the Permissions button to start assigning permissions to this particular group path. In case you're wondering, a group can have multiple paths and each path can have its own set of permissions.
For this particular group, I checked all permissions except Download file.
I then clicked each OK button on every dialog box / screen I encountered until I got back to the main screen.
I followed the same process for the Downloader Staff group. However, when I got to the part of actually setting permissions, I checked Download file and unchecked some permissions (see screenshot below).
Again, I went through the same process for the Super Staff group until I got to the Virtual Path Permissions dialog box. This time, I checked all permissions.
After setting permissions for all three groups, my next task was to assign user accounts to each one of them. I started with the Uploader Staff group by selecting it and then clicking the Users button.
On the Setup 'Uploader Staff' Users dialog box (where 'Uploader Staff' will be replaced with the name of the group you selected), I assigned members to the group. To do that, I ticked the check box beside the name 'joey' and then did the same for 'maria'.
I followed the same steps for the two remaining groups. As planned, Steven and Doug went to Downloader Staff, while Danika went to Super Staff.
That's all there was to it. And that's how you build groups in JSCAPE MFT Server.
Summary
In this two-part series, we talked about JSCAPE MFT Server groups, how they can be used for regulatory compliance, and how to actually create them.