I'm curious how others in the industry handle file system permissions management.
The model I'm working with now basically has two separate methods depending on whether it's for the Windows world or the Unix/Linux world, but my question is in reference to managing CIFS/SMB permissions for Windows users.
For CIFS/SMB, it involves an Identity and Access Management Team which handles permissions assignment. Our storage team creates volumes/shares and sets the Share permissions such that the IAM Team has permission to modify the Share permissions and file system permissions. The IAM Team handles access requests (validating the request, obtaining approval, and executing the change). They currently do this by "connecting to another computer" via MMC, entering the DNS name for a data LIF and managing it like they would if it were a file share hosted on an actual Windows Server.
That seems to be a common way to do this, however, as InfoSec gets more and more attention (and rightly so) there is a desire to separate management access from data access. So what we've been trying to do is disable management access (http, cli, api) on the data LIFs and create a separate SVM management LIF, and disable data protocols on the management LIF. However, this poses a problem in this case because a management task such as permissions assignment via MMC requires a data protocol (CIFS).
This becomes even more complicated as we venture into providing shared storage in different security zones such as an internal network and a DMZ, where we absolutely cannot allow management of the asset from the DMZ.
So... how are some of you accomplishing this?
Do the sysadmins who manage the storage array configure permissions via CLI, API, etc.?
Do you allow an IAM Team access to the storage array to configure permissions without having to use a data protocol (using MMC/CIFS as described above)?
