The IT Assets Database was replaced by the IT Admins CMDB and is EOL / End of Life, no further development will be done on this project.
The owner matrix or rights matrix is based on a category and sub-category definition that you can chose freely. You then give it a title / path or URL and description. Further do you assign employees to this matrix entry and you can leave a note with details what the employee in there that can state like secondary approve, additional approve etc..
If you set an entry inactive, the inactive date will auto-fill by default, you always can remove it.
To make sense of this imaging the following file-system example:
You have a departments folder with a sub-folder per department, e.g. IT, Accounting, Marketing – all those departments have managers or directors that actually can approve who will gain access to their department folder.
Now an employee requests access to a certain department folder, you now need to know who can approve this request. You go to the rights or owner matrix and look it up.
What you would see in the data is for example this – depending on how you structure it
| Category | Sub-Category | Path |
|---|---|---|
| File System | Departments | S:\Departments\Marketing |
| File System | Departments | S:\Departments\IT |
| File System | Departments | S:\Departments\Accounting |
Now you chose the entry you need to know about and see who are the owners and whom to contact about the request to approve.
Of course you are not only able to do that with the file-system, you can fill in to those fields what ever you feel fit, in the end you have three fields to divide and categorize and you then can add employees directly with further notes and instructions on what they can decide etc.
Further can you relate LDAP groups to the owner matrix. This helps to even document the purpose of a certain groups and show the big picture.
Notes and TAGs are available as everywhere else.
Data field and reference overview
- Active / Disabled
- Deployment Status
- Category
- Sub-Category
- Title / Path / URL
- Description
- Created Date
- inactive date (might auto-set due to active / disabled)
- references to
- Checklists
- Notes
Checklists
Another feature are checklists that you can attach to those entries. This is especially helpful for creating folders, e.g. in your DFS file system. You can automate the LDAP / Active Directory group creation, the folder creation and the rights assignment, down to automatically add them to your DFS namespaces with a a few checklist scripts. Examples are below – you of course need to create a checklist that will provide the correct parameters to those example script and adjust them of course to your specific needs. This eventually does a great deal of automation and avoids possible mistakes in the whole configuration. Folders constantly come and go – may be not whole department shares, but project related folders definitive do in any bigger business. It is essential to standardize groups names and right assignments as well as making sure they follow the same name schema and NTFS rights. I wrote an DFS structure blog article about a nice example as well.
Keep in mind, you need to necessary PowerShell modules and DOS tools installed on the system where you execute those script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | Param( [string]$foldername, [string]$shortdesc, [string]$notes ) Import-Module ActiveDirectory Write-Host "Script starting..." Write-Host "" Write-Host "Parameters submitted to script:" Write-Host "===============================" Write-Host "Foldername: $foldername" -ForegroundColor DarkYellow Write-Host "Description: $shortdesc" -ForegroundColor DarkYellow Write-Host "Notes: $notes" -ForegroundColor DarkYellow Write-Host "===============================" Write-Host "" Pause New-ADGroup "DFS_$foldername RO" 1 -path "OU=Groups,DC=domain,DC=local" -OtherAttributes @{'info'="$notes"} -Description "$shortdesc Read Only" New-ADGroup "DFS_$foldername RW" 1 -path "OU=Groups,DC=domain,DC=local" -OtherAttributes @{'info'="$notes"} -Description "$shortdesc Read Write" md "\\servername\d$\shared folders\$foldername" $sharename = $foldername.replace(' ' , '') New-SMBShare -CimSession SERVERNAME -Name "$sharename$" -Path "d:\shared folders\$foldername" -ChangeAccess everyone -FolderEnumerationMode AccessBased -CachingMode None New-DfsnFolder -Path "\\domain.local\n\$foldername" -TargetPath "\\servername.domain.local\$sharename$" -EnableTargetFailback $True -ReferralPriorityClass globalhigh -ReferralPriorityRank 0 |
1 2 3 4 5 6 7 | echo "\\SERVER\D$\shared folders\%~1" pause icacls "\\SERVER\d$\shared folders\%~1" /grant:r "SYSTEM":(OI)(CI)F /inheritance:r /grant:r "DOMAIN\DOMAIN\Domain Admins":(OI)(CI)F /inheritance:r /grant:r "DOMAIN\DOMAIN\%~1 RW":(OI)(CI)(S,X,RD,RA,REA,WD,AD,WA,WEA,DC,RC) /inheritance:r /grant:r "DOMAIN\DOMAIN\%~1 RO":(OI)(CI)RX /inheritance:r dfsutil property sd grant "\\domain.local\q\%~1" "DOMAIN\DOMAIN\Domain Admins":RX protect dfsutil property sd grant "\\domain.local\q\%~1" "DOMAIN\DOMAIN\%~1 RW":RX protect dfsutil property sd grant "\\domain.local\q\%~1" "DOMAIN\DOMAIN\%~1 RO":RX protect pause |