Data Owner Responsibilities
Administrative oversight of department’s IFS licence
Provide a Purchase Order for IFS costs (after July 2025)
Appoint Data Managers for all the drives within the Department IFS licence
Receive email warnings as maximum capacity reached
Extend storage capacity by providing a PO
If acting as Data Manager also, the following responsibilities equally apply
Annual review of Data Manager/s to ensure they are correct.
Data Manager Responsibilities
Assist incident recovery activities by reviewing data
Identifying data that may belong elsewhere so it can be moved
Adding users to the appropriate security groups as UMD and Assured computers are rolled out so that they can access the data.
Ongoing responsibility for data access - adding and removing users (either via self serve or directing CSCS to do on your behalf)
Ongoing identifying additional security groups that may be required and requesting them from CSCS
Ensuring that data in the drive is stored appropriately (according to data classification policy below)
Responding to alerts if drive is possibly running out of space
Share urgent data that may be required in the short term before drive access restored to all users
Ensuring that data access is provided only to authorised users and those with UMD or Assured computers
Annual review of users who have access to data to ensure that it is correct.
DO and DM have access to a report of all of their managed Group drives and Security groups. They can access it by going to their Halo home portal, select My reports and open the Group drive(s) on the list.
IFS Cost
IFS is paid for on a per TB basis. 1TB is £150 per year and will be billed to each department. UIS have graciously granted CSCS until July 2025 at no cost to give the School time to move into IFS and iron out any difficulties. When the renewal comes up each data manager will receive an email with information about paying for the licence and data.
IFS Data Quota
Data storage is purchased on a per TB basis. If your IFS drive gets close to its quota, the data manager will receive an email to that effect. You can instruct your users to do some housekeeping, or increase the space by going to this page https://selfservice.uis.cam.ac.uk/storage/IFS/
New Group Drives
Adding a new group drive can be done via the IFS Self Service portal
First, check if you have some unallocated space you could use. Go to https://selfservice.uis.cam.ac.uk/storage/IFS/ and click on My Account. You should be able to see if you have any free space. Ideally you would allocate space in chunks of 1TB.
If you don’t have free space, click the Back button and create a quote and pay for the extra space.
Once there is sufficient free space, go to My Account to create a new project. (expand section below)
Data Classification Guidelines
Data should always be stored in accordance to the University’s https://help.uis.cam.ac.uk/service/security/data-sec-classes. IFS is suitable for Medium impact level 2 data.
Sharing data before IFS permissions are set up
Once you have access to your data you would be able to share it out through many methods. You must be cautious when sharing data and only use the method suggested below. Otherwise you risk:
Proliferation of data outside of the central storage with different versions and possibly without a backup,
Loss of control of data and possible malicious exfiltration if placed locally on desktop for example.
Difficulty of tracking changes once users decide to consolidate files back into IFS storage especially if there are significant files that were copied out and modified outside IFS group drive.
Recognising that for business continuity reasons it may be necessary to share the data we recommend the following.
Copy any data that your team needs in the very short term to the files area in your Microsoft Team. Teams is simply a way of viewing the data in a restricted SharePoint site so effectively this means you will put the data in SharePoint.
Think about your team and the data you want to move. Should all of the people in the team access the data? if not, is there a secured channel that is already set up that has the necessary people in it?
if yes, move the files to that channel
if not, create a new folder in SharePoint
Make a note of what is moved so that later it can be copied back to IFS
Consider LinkedIn learning or the UIS SharePoint training before you do this. See links below.
CSCS Group Drive data recovery activities
All data has been moved from CSCS group drives to IFS. It now needs to be secured so that it can be made available to users with Assured computers.
Follow the steps below to prepare your data for your group/department to access.
Once migrated, each IFS drive has a single permission group applied to it. This means that any users in that permission group will have read and write access to all data in the group drive. Initially the Data Owner and Data Manager will be the only people with that access.
The Data Manager needs to review the data and identify any that needs to be locked down further. Please review the Permissions Models below and advise CSCS which one you choose for your data.
Permissions Models - Securing Your Data
For simplicity of management, the ideal is that all users with access to an IFS drive can access all data. If that is acceptable, go to Option1 below.
However sometimes more granular security is necessary. In this case, there are 4 options.
Option 1: All users with access to the group drive can see all the data
Option 2: Secure the folders at the top level of the drive with additional security groups. Whilst it is technically possible to apply security groups at a lower level of a group drive, this is not recommended. Often what happens is that at a later date, the permissions that are hidden in a lower level folder are forgotten about and overwritten in error. CSCS and UIS recommend that data permissions are standardised and set permissions at the top level only. See https://cscs-itsupport.atlassian.net/wiki/spaces/FAQ/pages/edit-v2/738099232#Example-diagrams%3A for a graphical description of the this option.
Option 3: Move selected data to a new group drive (called an IFS Project) This drive can either be secured with a single group as in Option 1 or have top level folder permissions as in Option 2.
Option 4: Move data to SharePoint - For small amounts of data you might want to consider moving it into Microsoft Teams/SharePoint. If the data is to be visible to an existing Team (in MS Teams) or a Teams channel this is simply a question of moving the file to right Files area for that Channel in SharePoint. You can enroll in the UIS SharePoint course for more information on how to do this (https://www.training.cam.ac.uk/ucs/event/5330021).
Example diagrams:
The diagram below gives an example of a fictitious group drive. It has 4 top level folders, and 2 sub folders. All users who are in the Security group for Everyone will have access to data in all of those folders.
The data from the example diagram above has been adjusted per the suggestions above. The Data Manager needs to indicate the security groups needed (purple text). Move the E. More HR data folder under A. HR and move F. HoD Confidential to the top level (green text)
Granting access to IFS data
It is the responsibility of the Data Manger to ensure only people who have a UMD or Assured computer are given access to IFS data.
For the most part, data managers will use a UIS web page called Toolkit https://toolkit.uis.cam.ac.uk/to add users to the appropriate security groups to be able to access group drive data. Instructions how to access are detailed below.
Colleagues who need access to the group drive must have a UMD or Assured computer. If they do, either the Data Manger can grant access, or the Data Manager/Owner can request via the CSCS Service Desk using this request form Clinical School Computing Service User Portal - Group Drive Access. If they do not have a UMD or Assured computer, first check if they have received an audit form from CSCS and have completed it. Secondly, have they received an invitation from CSCS to attend the Recovery Clinic. If any of those things have not happened, please contact the CSCS Service Desk and ask them to check where the person is within the process. If it is an urgent matter, please escalate with your Business and Operations Manager.
Procedure:
Each user will determine which group drives they need access to and reach out to the relevant Data Managers.
The list of group drives and data managers is here: https://www.staff.admin.cam.ac.uk/system/files/download/ifs-path-reference-list-all-drives.xlsx (please note that this a spreadsheet hosted on a UIS website. When you click this link it will open up a blank webpage and download the file, putting it in the downloads folder on your computer. If there are any errors, please advise CSCS. The file will be updated if changes are required).
When a user asks for access to a group drive:
Ensure that you have reviewed the group drive’s permissions and it has been implemented by CSCS
Determine whether they should have access (you may need to speak with the Data Owner to confirm, or you may know from previous group drive configuration)
Confirm the user has a UMD or assured device, using this look up tool - https://app.powerbi.com/groups/5c2484bc-b48a-4f87-a789-84945a43bed2/dashboards/16bd20f4-5dee-4f5d-8f39-7ce8adc68a87?ctid=49a50445-bdfa-4b79-ade3-547b4f3986e9&pbi_source=linkShare
Click in either the User Name, User Email or Department field (see below) to do a search.
Type in the name, or department name in the appropriate field you are looking for. If the user is not listed, they do not yet have a UMD device.
If you are sure a user has a UMD device but you can’t find them on the list, try just their surname. People often display their initials instead of forename in the directory. Unfortunately you cannot search by CRSID.
Data for this lookup tool https://app.powerbi.com/groups/me/reports/a9baafd0-4fae-4a53-8d51-026c3384d16f/eb78adb446a7499bc1be?ctid=49a50445-bdfa-4b79-ade3-547b4f3986e9&experience=power-bi is pulled from many data sources, so some information is updated every 2 hours but data on Windows devices is only updated once a day (overnight) which cannot be changed.
Go to the file https://www.staff.admin.cam.ac.uk/system/files/download/ifs-path-reference-list-all-drives.xlsx
Find the drive
Copy the primary security group name from column I
Open Toolkit - https://toolkit.uis.cam.ac.uk/ - and follow instructions in the “Adding users to groups in Toolkit” section below.
Send the user a message and include this link https://cscs-itsupport.atlassian.net/wiki/x/A4ATLg to tell them how to view the drive
If you have chosen folder-level security for the drive;
Go to the file https://www.staff.admin.cam.ac.uk/system/files/download/ifs-path-reference-list-all-drives.xlsx
Look at the Permissions groups tab in the spreadsheet and find the permissions groups
Find the name of the lookup group giving access to the entire group drive
Proceed to Toolkit to add the users to the relevant groups (see the “Adding users to groups in Toolkit” section below)
Folder level file permission setup
If option 2 is chosen you will be advised by CSCS once the new secured folders are set up. When you receive the notification:
The requester (usually a data manager) will be expected to move the files from the old location to the new folders that CSCS have created and secured.
Open Windows Explorer and turn on hidden items. Do this by clicking View in the toolbar, select Show, select Hidden Items
Open up two Windows Explorer windows - one with the old location and one showing the new
Drag and drop files from the old to the new location
If you see any errors, note them down and contact CSCS for assistance
Confirm that the data was all copied
Delete the old folder
Wait 24 hours for the new permissions structure to be applied to all of the files you copied in
You could now give access to other users with UMD computers per https://cscs-itsupport.atlassian.net/wiki/spaces/FAQ/pages/edit-v2/738099232#Granting-access-to-IFS-data
More information
UIS IFS Service Information https://help.uis.cam.ac.uk/service/cloud-services/institutional-file-store-service-ifs
LinkedIn Learning training about data permissions:
Intro to Users and groups https://www.linkedin.com/learning/comptia-a-plus-core-2-220-1102-cert-prep/introduction-to-users-and-groups-21425579?autoplay=true&resume=false&u=2963594
NTFS permissions https://www.linkedin.com/learning/comptia-a-plus-core-2-220-1102-cert-prep/ntfs-permissions-21428250?autoplay=true&resume=false&u=2963594