Role based security with Distribution Groups has security concern

  • 2
  • Question
  • Updated 3 months ago
We are a professional service organization.   We have a lot of clients at one time with 1 or more projects each.    All those client projects need secured space within our ShareFile site, along with our internal corporate usage.   The only effective way to manage that and demonstrate procedural based reliability of that security is to:    
    a)  manage permissions on different folders based on the roles that need access and the level of security of each role
    b)  as persons move onto or off a a particular team/role, add them to that role.

Within ShareFile,  the only way that we have found to do this is through the use of Distribution Groups.    And it works well. Almost.

That ‘ALMOST’ produces a security vulnerability that seems to make ShareFile unusable for us.   After creating and maintaining distribution groups with the applicable persons assigned and assigning that Distribution Group to the “People on this Folder” with the necessary permissions.   Things work great.....EXCEPT for the fact that when a user changes their email alert preferences for upload/downloads,  ShareFile adds a NEW permission line for that INDIVIDUAL (along with the existing Distribution Group they belong to).     If you remove the user from the Distribution Group  (for instance they leave the team so should no longer have access to that client project files),   the INDIVIDUAL permission that was created upon the alert change IS STILL THERE.     With a large number of projects and employees with constant change,  you can’t be sure that everywhere they might have made a alert change doesn’t have the inadvertent folder permission for that individual.   The phenomenon was validated via a Citrix ShareFile support case.   (sidenote: you also wouldn’t know whether that permission was due to the above scenario or whether someone EXPLICITLY added the permission for that user outside of whether they are in a Role based group (ie Distribution Group)).  

But, it seems a common use case, so I am wanting to make sure we are not missing something within the feature set.    Is there a way to accomplish the above requirements of roles (via groups), membership into those roles/groups, and assignments of folder permissions based on role/group?   The distribution group mechanism does not seem to work without the above security vulnerability.
Photo of Mark Smalley

Mark Smalley

  • 1 Post
  • 0 Reply Likes

Posted 3 months ago

  • 2

Be the first to post a reply!