The file system is one of the most important parts of any operating system. Users nearly always come into contact with file systems when storing and processing data. The logical organisation of a file system – i.e. the layout and administration of folder structures - is therefore one of the most important duties of administrators: they have to help users to administer their files and at the same time must observe common company aspects such as access rights, privacy and backups.

While folder structures in the operating systems area and software applications are mostly predetermined, the structures of business data – e.g. letters, Excel lists or other files - need self-definition. Unfortunately very little literature is available on the subject of “structuring file systems”. This blog article will show you several solutions which can be easily implemented into your server systems.

You will learn amongst others

• How to determine organisational requirements concerning the file system,
• How to address such requirements technically with the help of a folder structure,
• How to transfer data out of your current servers into the new structures.

Objectives for designing a folder structure

Without first having objectives, it is very difficult to plan anything. Therefore, we now determine the objectives for the new file system on which the design process should orientate itself:

1. Each user knows where he can find the files he needs in the file system,
2. Each user knows where he must file newly created files in the file system,
3. The folder structure should also be in a position to „survive“ a company restructuring,
4. Administration work during daily tasks should be kept to a minimum.

Besides these general objectives, the operational requirements - which the file system must fulfil - must also be defined. The following are such requirements:

• Operational requirements of users

This includes all requirements for the operational and structural organisations, i.e. the individual departments or certain business processes in your company. Each department will e.g. probably get its own folder, for which only the assigned staff members have access rights.

• External operational requirements

This includes e.g. privacy and compliance specifications which a company must fulfil.

• Technical requirements

It may be that some of the software applications used need particular folder structures. Such requirements must also be taken into account when designing the file systems.

Setting up the folder structure

In practice, a 4-step folder system has proven itself:

1. Business data folder

   The business data folder is the basis for all user data. It separates the data from the data in the operating system.

2. Base folder

   The business data folder contains a number of base folders. These are folders which contain protected folders for a specified category, e.g. departments or projects.

3. Organization folder

   A base folder contains a number of organization folders. The folders can orientate themselves on organization units, but can also be defined for other data which needs specific permissions, e.g. installation folders for specific licensed software applications.

   Design note: When defining organization folders orientate yourself on the structural organisation, i.e. departments or projects in your company.

4. Process folder

   Each organization folder can contain process folders, i.e. particularly protected areas of which with their own permissions.

   Design note: When defining process folders orientate yourself to the operational organisation, i.e.particular business processes within an organization unit. Typical process folders are e.g. protected folders for departmental or project leaders.

The following image shows an example of the different folder types. The business data folder D:\Data contains the base folders Archive, Customers and Projects. The base folders contain one or more organization folders.

Note: To simplify the display we have omitted the process folders.

These folder types can be used to design your new file system and later set it up with the following working steps:

1. Create the folder structure,
2. Create user groups in Active Directory,
3. Add the user groups to the folder access control lists,
4. Copy data out of the old folders into the new folders.

Parks Authorization Managers (PAM) automates a vast amount of this step by step work. PAM creates all base and organization folders and also creates and registers the user groups in the appropriate folder access control lists. PAM also offers a copy function for data migration.

Tips and Tricks

Your new file system can be improved with the following best practice tips:

1. Use shallow hierarchies for folders with permissions

   For clarity purposes, no more than four levels (including process folders) should be used.

2. Do not grant any permission for Windows standard user groups in the business data area

   If e.g. you grant the group Domain Users permissions, each new user would immediately receive rights – even without an application procedure. You quickly lose an overview as to which users may read which folders.

   One exception is the group Domain Admins if you do not plan to set up a special administrator group for the file system.

3. Do not grant permissions to single users

   Only user groups should be authorized and at least two staff members should belong to each group. This “four-eyes principle” protects against problems during holiday time or when staff resign from the company.

   The only exception from this rule is usually the user’s home folder.

4. Consider the user groups as permissions, not as „user bundles“

   Define groups for each organisztion folder, even if the some users are doubled (unlikely in the practice). By doing so you can keep track of which permission groups are in which folders without bother of time-consuming analysis work.

5. Define few shares, use access based enumeration

   Avoid sharing single organization folders in the network. Release instead the base folders with access based enumeration. In this way user access can be changed by simply altering their group membership and there is no need for them to remember new shares.

Conclusion

A clear and simply structured file system is an optimal help to users during their daily work.

From our daily work we know that file systems are not set up as originally planned over the years and restructuring in companies resp. the changed requirements of such, leave their mark. A reorganisation for fulfilment of compliance requirements is sensible - particularly where no documented permission granting exists.

Do not spend too much time thinking about old structures, but start a process to gain actual user requirements, reorganise the file system and transfer the existing data into the new structures. With Parks Authorization Manager (PAM) you have a tool which will help you during the reorganisation and which will offer all the help you need during your daily work to permanently adhere to the new structures.