Groups and their role in regulatory compliance - Part 2

Follow-up to part 1 discussing Groups and their role in regulatory compliance.
  1. Blog

Let's now see those groups we talked about in Part 1 in action. You might want to review the Group memberships found in the later part of Part 1 and see which user(s) belong to which group.

Ready? Let's begin.

At the start of the day, Joey logs in to his company's MFT server using AnyClient and uploads to his home directory a file named "payroll201805.doc".

joey newly uploaded file mft server

He then navigates to the "allgroups" directory and uploads a file named "Spreadsheet risk issues.doc".

joey upload spreadsheet mft server

Later on, Maria logs in to the same managed file transfer server using her own copy of AnyClient. She doesn't see "payroll201805.doc" because that file was stored in Joey's home directory.

maria no payroll mft server

She proceeds to the "allgroups" directory, where she sees the file "Spreadsheet risk issues.doc". Intrigued by the name of the file, she attempts to download it. Unfortunately, the server denies the request. Remember that, like Joey, Maria belongs to the Uploader Staff group and members of that group are not allowed to download anything from this path.

maria unable to download spreadsheet mft server

From his office many miles away, Steven logs in to the same server. Like Maria, he doesn't see Joey's "payroll201805.doc" but sees "Spreadsheet risk issues.doc" in the "allgroups" directory.

But unlike Maria, when Steven tries to download the file, the managed file transfer server grants the request.

steven download spreadsheet mft server-1

Steven opens, reviews, and edits his newly downloaded copy of the "Spreadsheet risk issues.doc" file. He thinks of replacing the copy on the server with his own edited copy. But when he tries to delete the copy stored in the "allgroups" directory, his request is denied.

unable to delete mft server

Unperturbed, he renames his edited copy to "Spreadsheet risk issues v2.doc" and tries to upload the file instead. That request is denied as well.

He then asks his buddy, Doug, to come over to his workstation and perform the upload for him. Doug logs in using his own user credentials. But since he too is a member of the Downloader Staff, his attempt to upload to the same path fails as well.

unable to transfer doug mft server

Later in the evening, someone from the company logs in to the managed file transfer server, navigates to the "allgroups" directory, and downloads the "Spreadsheet risk issues.doc" file.

maria download mft server

That person then makes changes to the contents of the file, deletes the original copy on the server,

file successfully deleted mft server

and replaces it with the edited copy.

uploaded file danika mft server

How is it that this person is able to download, delete, and upload files to the "allgroups" directory? Because this person is Danika and she belongs to the Super Staff group.

Did you notice the many security implications in those very simple scenarios? Groups can help you enforce stronger security but it's really up to you to plan out your groupings to make this feature really effective in enhancing security.

Building those groups in JSCAPE MFT Server

Now, I would like to show you how I created those groups, assigned users to them, and set each group's permissions.

To create the Uploader Staff group, I launched my JSCAPE MFT Server Manager, navigated into a domain, and then opened the Groups section. Once there, I clicked the Add button.

add group mft server

I was then brought to the Add Group dialog box, where I entered the name of the group, the virtual path of the group, and its real path. When I was done entering, I clicked OK.

add group dialog mft server

I followed the same process to create the other two groups.

add group dialog mft server downloader staff

add group dialog mft server super staff

Notice how I made the Path and Real Path entries the same for all three groups. That's because, in this particular scenario, we wanted our groups to share the same directory but have different permissions to it. It doesn't have to be that way with your other groups. Different groups can have different paths and real paths.

Here are all three groups as seen from the main screen.

all groups mft server

Having already created all three groups, I set out to assign permissions to them. I started by selecting the Uploader Staff from the list of groups and then clicking Edit.

edit uploader staff group mft server

I then selected the path and clicked Edit.

edit uploader staff path mft server

Once I got to the Edit Virtual Path dialog box, I clicked the Permissions button to start assigning permissions to this particular group path. In case you're wondering, a group can have multiple paths and each path can have its own set of permissions.

group path permissions mft server

For this particular group, I checked all permissions except Download file.

desellect download file groups mft server

I then clicked each OK button on every dialog box / screen I encountered until I got back to the main screen.

I followed the same process for the Downloader Staff group. However, when I got to the part of actually setting permissions, I checked Download file and unchecked some permissions (see screenshot below).

virtual path permissions downloader staff mft server

Again, I went through the same process for the Super Staff group until I got to the Virtual Path Permissions dialog box. This time, I checked all permissions.

all permissions super staff group mft server

After setting permissions for all three groups, my next task was to assign user accounts to each one of them. I started with the Uploader Staff group by selecting it and then clicking the Users button.

uploader staff group users mft server

On the Setup 'Uploader Staff' Users dialog box (where 'Uploader Staff' will be replaced with the name of the group you selected), I assigned members to the group. To do that, I ticked the check box beside the name 'joey' and then did the same for 'maria'.

uploader staff group user members mft server

I followed the same steps for the two remaining groups. As planned, Steven and Doug went to Downloader Staff, while Danika went to Super Staff.

That's all there was to it. And that's how you build groups in JSCAPE MFT Server.

Summary

In this two-part series, we talked about JSCAPE MFT Server groups, how they can be used for regulatory compliance, and how to actually create them.

Downloads

Download JSCAPE MFT Server

Download AnyClient