CISO Bulletin: Multi-Cloud Authorization With the Enterprise File Fabric™

In a recent post about authentication with the Enterprise File Fabric™  I briefly mentioned authorization and committed to a follow-up post on that topic.  This post explains how the the File Fabric’s authorization features are used to manage user access to directories and their contents on the storage that is attached to the File Fabric.  As we’ll see, the File Fabric can use the groups that are set up in  authentication system to create a unified security structure that spans all storage.  Additionally, for some resources,  the File Fabric can import and use established  user authorizations  and also allow the storage’s native access controls to govern users read and write actions.

File Fabric Basics

Let’s start with a quick review of some File Fabric basics:

    • The File Fabric is a Secure Data Management solution for file and object storage solutions.
    • The File Fabric works equally well with on-premises storage and on-cloud storage and combine both resource sets into a ‘single pane of glass’ for management and end user access.
    • The File Fabric works with object storage, file storage and block storage.
    • The File Fabric works with almost any kind of storage an organization  may be using.
    • Almost every File Fabric feature works the same across all of the different kinds of storage that the File Fabric supports but there may be storage specific features it takes advantage of. (We’ll look at one very powerful exception later.
    • The File Fabric can manage all of an organization’s different kinds of storage side-by-side in a unified namespace.
    • The File Fabric’s authentication and authorization controls are applied consistently whether users access the File Fabric from their browsers, desktops, mobile devices, or from the API.

Shared Team Folders

The File Fabric’s Shared Team Folders feature allows an Administrator to create folders and share them with other users. The Administrator can also delegate the right to create and share folders to selected users either directly or via Roles.

Privileges to see and act on each Shared Team Folder and its contents can be set per user or per role or for any combination of users and roles.  By default these permissions are inherited by subfolder of the shared team folder, but access to these subfolders can also be managed independently.

Users and Roles

The File Fabric’s authorization module enables permissions to be granted both to individual users and to roles.  When privileges are granted to roles, each user to whom a role has been assigned inherits the permissions associated with that role.  A user can have several roles, in which case she will have the union of the permissions granted to each of the roles.

Roles and Authentication System Groups

In the prior post on authentication post I described how the File Fabric can integrate with an enterprise’s existing strategic authentication system.  That integration runs deeper than just authentication.  The File Fabric can additionally import the groups that have been defined in the existing authentication system and create a corresponding set of File Fabric roles.  Depending on how the authentication system integration has been configured, the File Fabric can automatically assign each user to the each File Fabric role that corresponds to an authentication system group of which the user is a member.

Special Capabilities for SMB Storage

Starting with version 1906.07 of the File Fabric , when admins attach SMB storage they have the option of using an even tighter form of storage integration.  With this SMB-only feature, the File Fabric will automatically import each user’s permissions from the storage system and use those permissions to control the user’s access to the File Fabric’s metadata view of the directories and files on the SMB storage.  The File Fabric will also delegate control over access to the files and folders on the underlying storage back to the storage system using each user’s own account.  In this way, enforcement of access controls at the storage level is guaranteed.

One of Many Security Features

A rich set of authorization capabilities is just one example of the many ways in which the File Fabric helps enterprises meet their information security requirements. 

If you would like to learn more about how the File Fabric handles authorization or any other of the File Fabric’s many security features, visit storagemadeeasy.com or contact sales@storagemadeeasy.com.

Facebooktwitterredditpinterestlinkedinmailby feather
The following two tabs change content below.
Dan has been working with Storage Made Easy's founders since the company was launched.