The challenge:

In mid-sized to large organizations, we often find a need to use dedicated folders for a project that project managers can manage by themselves. Among other things, project managers want to be able to add or remove members or assign or revoke reading and writing privileges. The procedure usually involves the project manager calling IT to request a folder or informing them of changes regarding authorizations and privileges. This results in a call or ticket to which a member of the IT organization must be assigned. The latter will have to perform the task and notify the project manager of the outcome.

But a different approach is possible:

By offering project managers self-service capabilities, they will be able to register projects themselves. Using templates, IT administrators can determine what should happen on NTFS level and in Active Directory. By creating a link with the HRM system, it will be possible, among other things, to check which Active Directory users are the actual project managers. Subsequently, these accounts are authorized to register projects using secure electronic forms (e-forms). These projects are then checked for naming and duplicate records. A project folder can be created on a file server using an intelligent mechanism. This mechanism makes it possible to define a group of file servers and to use the file server with the most available disk space, or to select a random file server from a group. This process would be even simpler with DFS, and in general less intelligence is required in pinpointing an NTFS location. After all, this is handled by DFS for the most part.

After the project folder has been created, local and global groups can be automatically created in Active Directory on the basis of a user-defined naming convention, e.g. G-LG-NTFS-"project"-R or G-LG-NTFS-"project"-C. The local groups are subsequently linked to the global groups and assigned read and change privileges for the project folder. After completing the electronic form, the project manager will receive notification that the directory has been created, so that he or she can directly continue with the next form and add members to the project folder along with reading and/or writing privileges. In actual fact, a modification of the Active Directory groups created earlier is made in the background. For the project manager however, this is no longer relevant.

Want to know more? Check out organizational delegation and self-service for UMRA.