Step 1: designing a security schema, Step 1, Designing a security schema – Grass Valley NAS Security Instruction Guide v.5.1A User Manual

Page 11: Step

background image

Digital News Production

9

Step

1

Designing a Security Schema

The first step in setting up security in your NAS system is to determine a schema
for permissions. The schema determines which groups you create, and which
permissions you give each group.

Thomson Grass Valley has created a typical schema for use in illustrating
security principles in this document. You may use this schema if it is
appropriate for your newsroom, or create your own. For the examples in this
manual, we’ll assume that the newsroom has five groups: Editors, Producers,
Archivists, Ingestors, and Viewers.

The NAS security principles are agnostic to these groups, though the use of
groups greatly simplifies the establishment of the security schema. We picked
these names as exemplary; you do not need to use them in your operation. You
can have as many or as few groups as you like, named however you wish. If
your domain has a tree hierarchy, you may assign permissions to global groups
as well.

It’s important to establish a simple, consistent group structure. As with any
large, shared file system, permissions are best applied for groups, not users.
Individual user rights are then determined by administering group membership.

The core of Thomson Grass Valley’s Serial ATA NAS product is a highly
customized and tuned Linux-based Samba server. This knowledge will help you
as you work with the security features which derive more from Samba than
Windows. There are some particular differences to note. The Windows features
of inheritance and denial are not identically supported or defined in Samba;
these functions are effected, respectively, by the limited, automatic propagation
upon setting of allowed permissions to descendants in the file tree, and by the
strict use of the Allow control as the inverse of Deny. There is no explicit Delete
permission; this is bound to the Write permission.

The discussion in this chapter pertains to planning groups, users, and
permissions. The actual creation of domain entities and setting of permissions
are done in Step 7.

See also other documents in the category Grass Valley Equipment: