IFS Data Owner and Manager Guidance

Data Owner Responsibilities

  • Administrative oversight of department’s IFS licence

  • Provide a Purchase Order for IFS costs (after July 2025)

  • Appoint Data Managers for all the drives within the Department IFS licence

  • Receive email warnings as maximum capacity reached

  • Extend storage capacity by providing a PO

  • If acting as Data Manager also, the following responsibilities equally apply

  • Annual review of Data Manager/s to ensure they are correct.

Data Manager Responsibilities

  • Assist incident recovery activities by reviewing data

  • Identifying data that may belong elsewhere so it can be moved

  • Adding users to the appropriate security groups as UMD and Assured computers are rolled out so that they can access the data.

  • Ongoing responsibility for data access - adding and removing users (either via self serve or directing CSCS to do on your behalf)

  • Ongoing identifying additional security groups that may be required and requesting them from CSCS

  • Ensuring that data in the drive is stored appropriately (according to data classification policy below)

  • Responding to alerts if drive is possibly running out of space

  • Share urgent data that may be required in the short term before drive access restored to all users

  • Ensuring that data access is provided only to authorised users and those with Assured computers

  • Annual review of users who have access to data to ensure that it is correct.

IFS Cost

IFS is paid for on a per TB basis. 1TB is £150 per year and will be billed to each department. UIS have graciously granted CSCS until July 2025 at no cost to give the School time to move into IFS and iron out any difficulties. When the renewal comes up each data manager will receive an email with information about paying for the licence and data.

IFS Data Quota

Data storage is purchased on a per TB basis. If your IFS drive gets close to its quota, the data manager will receive an email to that effect. You can instruct your users to do some housekeeping, or increase the space by going to this page https://selfservice.uis.cam.ac.uk/storage/IFS/

New Group Drives

Adding a new group drive can be done via the IFS Self Service portal

First, check if you have some unallocated space you could use. Go to https://selfservice.uis.cam.ac.uk/storage/IFS/ and click on My Account. You should be able to see if you have any free space. Ideally you would allocate space in chunks of 1TB.

If you don’t have free space, click the Back button and create a quote and pay for the extra space.

Once there is sufficient free space, go to My Account to create a new project. (expand section below)

  1. Click here

image-20240905-065912.png

 

  1. Click here

image-20240905-065919.png

 

  1. Enter a Project name and change the size if more than 1TB required

 

  1. Click "Add a Project Manager"

 

  1. Add Data Project Managers by typing in their CRSids.

 

 

Data Classification Guidelines

Data should always be stored in accordance to the University’s https://help.uis.cam.ac.uk/service/security/data-sec-classes. IFS is suitable for Medium impact level 2 data.

Sharing data before IFS permissions are set up

Once you have access to your data you would be able to share it out through many methods. You must be cautious when sharing data and only use the method suggested below. Otherwise you risk:

  • Proliferation of data outside of the central storage with different versions and possibly without a backup,

  • Loss of control of data and possible malicious exfiltration if placed locally on desktop for example.

  • Difficulty of tracking changes once users decide to consolidate files back into IFS storage especially if there are significant files that were copied out and modified outside IFS group drive.

Recognising that for business continuity reasons it may be necessary to share the data we recommend the following.

  1. Copy any data that your team needs in the very short term to the files area in your Microsoft Team. Teams is simply a way of viewing the data in a restricted SharePoint site so effectively this means you will put the data in SharePoint.

    1. Think about your team and the data you want to move. Should all of the people in the team access the data? if not, is there a secured channel that is already set up that has the necessary people in it?

      1. if yes, move the files to that channel

      2. if not, create a new folder in SharePoint

  2. Make a note of what is moved so that later it can be copied back to IFS

  3. Consider LinkedIn learning or the UIS SharePoint training before you do this. See links below.

CSCS Group Drive data recovery activities

All data has been moved from CSCS group drives to IFS. It now needs to be secured so that it can be made available to users with Assured computers.

Follow the steps below to prepare your data for your group/department to access.

Once migrated, each IFS drive has a single permission group applied to it. This means that any users in that permission group will have read and write access to all data in the group drive. Initially the Data Owner and Data Manager will be the only people with that access.

The Data Manager needs to review the data and identify any that needs to be locked down further. Please review the Permissions Models below and advise CSCS which one you choose for your data.

Permissions Models - Securing Your Data

For simplicity of management, the ideal is that all users with access to an IFS drive can access all data. If that is acceptable, go to Option1 below.

However sometimes more granular security is necessary. In this case, there are 4 options.

 

Option 1: All users with access to the group drive can see all the data

This is probably best suited for research group drives.

  1. Review data to confirm no additional permissions required.

  2. Once users have received their UMD computers they can be given access to their data. The procedure for giving access to users is found lower on this page.

Option 2: Secure the folders at the top level of the drive with additional security groups. Whilst it is technically possible to apply security groups at a lower level of a group drive, this is not recommended. Often what happens is that at a later date, the permissions that are hidden in a lower level folder are forgotten about and overwritten in error. CSCS and UIS recommend that data permissions are standardised and set permissions at the top level only. See for a graphical description of the this option.

  1. pro - once established can be self managed by the data manager and CSCS in future. Flexible and allows for efficiently securing small amounts of data (less than 1TB).

  2. con - requires more time to set up, document and maintain. Additional security groups must be set up by CSCS. Documentation must be kept by Data Manager and CSCS to capture which folders are secured and by what security groups.

Securing data with top level folders

  1. Create a list of all folders that will need to be at the top level.

  2. Complete the Halo form under IT, Accounts & Access, Security on group drive folder.

    1. select Add

    2. select the group drive name (if it there are duplicates choose one of them and CSCS will find the correct name from our master list)

    3. In the Group Drive Folder field, add the name of the folder you want to be created and restricted. Ideally this will be a new folder - do not create it - we have an automated process that will do so. If you have several folders to be created, attach a spreadsheet to the ticket or put the list into the Additional Information field.

  3. CSCS will create the folders and the groups to be associated with them and advise the Data Manager when this is complete.

  4. The Data Manager will move the data into the new folder. Please note that it will take approximately 24 hours for data moved into a folder to be properly secured. This happens automatically after the data is moved or copied into a folder, but depending on the number of files it can take time to work through all of them.

  5. Users can be given access to the data once they have assured computers. The procedure for giving access to users is under development.

Option 3: Move selected data to a new group drive (called an IFS Project) This drive can either be secured with a single group as in C2 or have top level folder permissions as in C1.

pro - very easy to manage. There is a single group to add people into and they can see all of the data.

con - to make sense economically it should contain over 500GB of data as the minimum size is 1TB. If you only put 100 GB of data in it, the department will pay for the full 1TB (£150/y)

Moving data to a new IFS Project

  1. Create a list of the data that should be moved to a new IFS project.

  2. Request a new project be created - you can log this in Halo as a Generic Request.

    1. Indicate the department and licence name the project goes into

    2. Proposed name and purpose of the project

  3. CSCS will create a new IFS Project and advise you when it is done

  4. You should be able to see it under your folders and you can drag and drop the data into it

  5. Users can be given access to the data once they have assured computers. The procedure for giving access to users is under development.

Option 4: Move data to SharePoint - For small amounts of data you might want to consider moving it into Microsoft Teams/SharePoint. If the data is to be visible to an existing Team (in MS Teams) or a Teams channel this is simply a question of moving the file to right Files area for that Channel in SharePoint. You can enroll in the UIS SharePoint course for more information on how to do this (https://www.training.cam.ac.uk/ucs/event/5330021).

Example diagrams:

The diagram below gives an example of a fictitious group drive. It has 4 top level folders, and 2 sub folders. All users who are in the Security group for Everyone will have access to data in all of those folders.

The data from the example diagram above has been adjusted per the suggestions above. The Data Manager needs to indicate the security groups needed (purple text). Move the E. More HR data folder under A. HR and move F. HoD Confidential to the top level (green text)

Granting access to IFS data

Only people who have a UMD or Assured computer should be given access to IFS data

For the most part, data managers will use a UIS web page called Toolkit to add users to the appropriate security groups to be able to access group drive data. This is under construction at this moment. Once available detailed instructions will be provided.

Colleagues who need access to the group drive will also need a UMD or Assured computer. If they do a data owner or manager can ask CSCS to grant them access. If they do not, speak with your Business and Operations Manager about getting them in the queue for a computer.

Procedure:

  1. Each user will determine which group drives they need access to and reach out to the relevant Data Managers.

    1. The list of group drives and data managers is here: https://www.staff.admin.cam.ac.uk/system/files/download/ifs-path-reference-list-all-drives.xlsx (please note that this a spreadsheet hosted on a UIS website. When you click this link it will open up a blank webpage and download the file, putting it in the downloads folder on your computer. If there are any errors, please advise CSCS. The file will be updated if changes are required).

  2. When a user asks for access to a group drive:

    1. Ensure that you have reviewed the group drive’s permissions and it has been implemented by CSCS

    2. Determine whether they should have access (you may need to speak with the Data Owner to confirm, or you may know from previous group drive configuration)

    3. Confirm the user has a UMD or assured device, using this look up tool - https://app.powerbi.com/groups/5c2484bc-b48a-4f87-a789-84945a43bed2/dashboards/16bd20f4-5dee-4f5d-8f39-7ce8adc68a87?ctid=49a50445-bdfa-4b79-ade3-547b4f3986e9&pbi_source=linkShare

      1. Click in either the User Name, User Email or Department field (see below) to do a search.

      2. Type in the name, or department name in the appropriate field you are looking for. If the user is not listed, they do not yet have a UMD device.

      3. If you are sure a user has a UMD device but you can’t find them on the list, try just their surname. People often display their initials instead of forename in the directory. Unfortunately you cannot search by CRSID.

Data for this lookup tool https://app.powerbi.com/groups/me/reports/a9baafd0-4fae-4a53-8d51-026c3384d16f/eb78adb446a7499bc1be?ctid=49a50445-bdfa-4b79-ade3-547b4f3986e9&experience=power-bi is pulled from many data sources, so some information is updated every 2 hours but data on Windows devices is only updated once a day (overnight) which cannot be changed.

  1. Give the user access to the Drive itself

  2. go to the file https://www.staff.admin.cam.ac.uk/system/files/download/ifs-path-reference-list-all-drives.xlsx

  3. Find the drive

  4. Copy the primary security group name from column K

  5. go to the Toolkit app - https://toolkit.uis.cam.ac.uk and follow instructions in the Expand section below

  6. Send the user a message with this link https://cscs-itsupport.atlassian.net/wiki/x/A4ATLg to tell them how to view the drive

  7. If you have chosen folder-level security for the drive;

    1. go to the file https://www.staff.admin.cam.ac.uk/system/files/download/ifs-path-reference-list-all-drives.xlsx

    2. Look at the Permissions groups tab and find the permissions groups

    3. Find the name of the lookup group giving access to the entire group drive <where?>

    4. Note down the group names

    5. Proceed to Toolkit to add the users to the relevant groups (see expanding section immediately following)

Go to https://toolkit.uis.cam.ac.uk/ and sign in with your University account.

Select Groups from the left side navigation bar

Select Hybrid AD Groups

 

 

Ensure that your institution has been selected (see screenshot below). If it has not, click the Select institution drop-down and choose it. If you aren’t sure which institution to choose, see this page for a list.

In the Search (Filter) area type or paste in the name of a group

Select the group by clicking on it once

Click the Edit button

Click Choose users manually

Type or paste in the crsid/s you are adding. You can separate them with spaces or commas if there is more than one

Click Add to Group button

You should see the users added to the group by CRSID and full name. Check that you added the right individual. Once you are satisfied with the result, you can click the X to exit from the edit group dialogue.

The UIS guide to managing groups with Toolkit can be found here with more details: https://help.uis.cam.ac.uk/service/accounts-passwords/it-staff/university-central-directory/toolkit/how-use-toolkit/manage-1

Folder level file permission setup

If option C1 is chosen you will be advised by CSCS once the new secured folders are set up. Next steps:

  1. The requester (usually a data manager) will be expected to move the files from the old location to the new folders that CSCS have created and secured.

  2. Open Windows Explorer and turn hidden items. do this by clicking View in the toolbar, select Show, select Hidden Items

  3. Open up 2 Windows Explorer windows - one with the old location and one showing the new

  4. Drag and drop files from the old to the new location

  5. If you see any errors, note them down and contact CSCS for assistance

  6. Confirm that the data was all copied

  7. Delete the old folder

  8. Wait 24 hours for the new permissions structure to be applied to all of the files you copied in

  9. You could now give access to other users with UMD computers per

Data Manager Training

CSCS and the UIS Communications Team will be running a training session that will be recorded. This has not been booked yet.

More information

UIS IFS Service Information https://help.uis.cam.ac.uk/service/cloud-services/institutional-file-store-service-ifs

LinkedIn Learning training about data permissions:

Â