Table of contents
Including the data store - instructions
- Path for the OE directory: \\sccfs.scc.kit.edu\OE\<OE> (replace<OE> with the appropriate OE abbreviation, e.g. \sccfs.scc.kit.edu\OE\SCC)
- Path information from the fileservice administrator of the OE.
- Substructures (e.g. \project, \employee) and access rights can be created and managed by the OE itself.
- Quota: The requested capacity is set up as quota for the OE directory.
Within the OE directory, OE administrators can set up their own OE-internal directory structures, which can also be managed separately with regard to access rights.
- Path for the personal directory: \\sccfs-home.scc.kit.edu\home
- The personal directory will be created the first time the user connects to the following path and KIT user account (ab1234 + password).
- CIFS only!
- Fixed quota: 10GB
- Backup/restore interval: 7 days back by the user himself (snapshot), up to 3 months back weekly restorable by SCC
Further technical information: \\sccfs.scc.kit.edu\OE\SCC\SyS\Fileserver\SCC-Doku
Access to these directories
- The personal directory and the department directory can be automatically integrated during the login process on OE computers that are already integrated into the KIT domain. (Responsibility: OE administrator)
- The OU defines under which drive letters the integration of the OE directory and the personal directory takes place.
Management of access rights in the new OE directory
In the following, it is assumed that the OE directory and the employee's personal directory are "visible" in the file explorer.
Use case 1
An OE employee wants to grant access rights to a directory or file to another individual KIT employee.
- Via the file/directory properties (right mouse button), the OE employee can set up the access rights under security. (This is possible because all accounts of KIT employees are available in KIT-AD).
Use case 2
A group of employees is to be granted access rights to a directory or a file (e.g. to the department directory, the group of all department members).
- If the (authorization) group has already been created by the IT representative in the group management, it is available in KIT-AD and can be selected accordingly.
- If the (authorization) group has not yet been created, it must first be created in the group administration (GV). After this new group has been provisioned in the KIT-AD, it can be selected.
- Via the file/directory properties (right mouse button), the access authorisations for the group can then be set up under security .
Restore previous versions
On the file servers of the SCC in the KIT context (personal drives and OE shares), so-called snapshots are created daily of all files and directories. With their help, a user can restore even previous versions of a file or a directory (including deleted files within the directory).
This can be achieved under Windows 7 as follows:
Right-click on the file or folder -> Properties -> Previous Versions.
Once you have selected a file, you will see a list of previous versions with date and time information and can now restore such a file (and thus overwrite the newer file with the same name) or copy it to another location.
If you have selected a folder (or even the drive itself) instead, you can additionally open an old version of the folder and copy or restore files from it. This way you can also get to deleted files. This recovery is possible up to 7 days back. If you need an even older version (there are also weekly snapshots up to 3 months back), please contact the SCC service desk.
Use under Linux
Access to personal directories or OE shares is also possible under Linux:
- With smbclient: smbclient -U KIT\\ab1234 //sccfs-home.scc.kit.edu/home.
This works as a "normal" user.
Important: the double backslash in front of the username!
- Mount (only under root): mount -t cifs -o user=KIT/ab1234 //sccfs-home.scc.kit.edu/home /mnt/home or in the fstab: //sccfs-home.scc.kit.edu/home /mnt/home cifs noauto,user=KIT/ab1234,uid=localunixid,gid=localgroupid,file_mode=0640,dir_mode=0750 User IDs and mountpoints must be replaced accordingly, of course, the IDs must also be authorized.
Instruction OE-Directory - ITB
In default mode only CIFS but no NFSv3 access is possible. NFSv3 access for the OE directory will only be set up if there is a written confirmation from the OE management that security problems with NFSv3 are consciously accepted and a specific provisioning is agreed. Users of Linux systems can also "mount" CIFS directories(SMB/Samba client).
- Access to the OE directory is available to users with their personal KIT account.
- Windows users can mount the directory as a drive, e.g. with network drive (see chapter structuring suggestions below).
Management (Access Rights) -Group Management
The creation of user groups to which access rights to the OU directory are to be assigned is carried out by means of the (central) group management (GV; SCC responsibility: DEI department).
- If a group is created in the GV, it is provisioned in the two central directory services KIT-AD and KIT-LDAP.
- und KIT-LDAP provisioniert.
- Link to GV
There are two relevant groups that have access to the GV by default:
- SCC-ITB-OE (members maintained by the SCC, based on reporting by the OU)and
- SCCFS-ADMINS-OE (currently maintained by the SCC).
The accounts of the ITB-designated administrators for the OU directory are added to the SCCFS-ADMINS-OU group (currently maintained by the SCC, see item before); members of the group have full access/authorization to the entire OU directory to set up structures and permissions.
- Via the GV, the ITB and/or the FS admin can create their user groups (e.g. "OE", "Project Group A").
- "Any" KIT members (KIT account) can be added to user groups. The persons are synchronized from the KIT administration systems into the IDM (Identity-Management) and are available in the GV.
- Access rights for authorization groups or individual employees to subdirectories and files in an OU directory can be controlled largely independently by the employees of the OU - only the creation of a new user group must be carried out by the FS admin of the OU.
- All groups available in the GV can be used. The assignment of access rights to the OU directory is done in the Windows environment as usual via "Right Mouse Button/Properties/Security...".
- Only groups created via the (central) GV are relevant for the central IT services of the SCC! Groups that are (in the future) "only" created in KIT-AD, e.g. in an OU, are not "central groups" and therefore cannot be used for central SCC services.
- The groups created via the GV can also be mail-activated:
- Current: create the group in the GV and then inform the SCC Service Desk to set this group to "mail-activated" (e.g. standard ticket). The maintenance of the group (in the GV) is then carried out independently by the OU.
Personal Directory Guide - ITB
Each employee receives 10 GB of storage capacity (so-called P-directory or home directory) for personal and official data. This directory is located under the path:
for the storage of personal data. Users have access with their KIT account.
- The personal directory is dynamically created on the first connection with the KIT user account (ab1234 + password) to the above (generic) path. (E.g. with "connect as").
- Directory size 10GB (currently) - Not expandable
- Connection only with CIFS (no NFS!)
- Directory can NOT be shared with other users (not "shared"), because it is a directory for purely personal data.
- These personal directories are created independently of a person's OE assignment and remain assigned to that person (their KIT account) even if the person moves to another OE.
- Directories/data that are to be shared with other users must be set up/created under the OE directory, for example.
Instruction how to integrate the directories - ITB
Structuring notes for the integration of the P and OE directory
Generic structuring proposal (can be controlled by GPO for each OE/OU)
See also: Instruction OE-Directory - ITB
- Include personal directory (P directory) as P(ers.) drive. (Access to the P-directory cannot be shared, but is exclusive to the individual employee).
- Include the complete OE directory as an O (or Z) drive, for example.
- Create a directory EMPLOYEE in the OE directory.
- In it, all employees could create their own OE-related working directories with their own structures (i.e. \OE-V\MITARBEITER\"Musterfrau"\...).
- Include the individual employee directory (in EMPLOYEE) as a U(ser) drive (e.g. via GPO for "Home attribute").o
- Alternatively, for example, mount the entire MITARBEITER directory as a U-drive. Then an employee sees the directories of the other employees, but has access only to his own.
A possible procedure for creating the employee directories
- Give all employees of the OE write access to EMPLOYEES, then they can create their own directories (homes).
- To do this, create a group in the group administration, e.g. ALL OE EMPLOYEES, and give this group full access to the directory EMPLOYEES.
- If an employee has created "his" directory, he can control the access rights himself via right mouse button/properties/security (Windows workstation).
Concept of the KIT file storage
A presentation (pdf-file) (in german) shows the concept of the central data storage as well as the access structures. With a generic structure example for the integration of P- and OE-directory is informed as well as about possible procedures for the creation of the employee directories (for ITBs).