IFS Data Owner and Data Project Manager Guidance

Owned by Jennifer Allan
Last updated: yesterday at 3:00 pm by Dave Clarke
11 min read

Data Owner Responsibilities

Data Project Manager Responsibilities

  • Assist incident recovery activities by reviewing data

  • Identifying data that may belong elsewhere so it can be moved

  • Adding users to the appropriate security groups as UMD and Assured computers are rolled out so that they can access the data.

  • Ongoing responsibility for data access - adding and removing users (either via self serve or directing CSCS to do on your behalf)

  • Ongoing identifying additional security groups that may be required and requesting them from CSCS

  • Ensuring that data in the drive is stored appropriately (according to data classification policy below)

  • Responding to alerts if drive is possibly running out of space

  • Share urgent data that may be required in the short term before drive access restored to all users

  • Ensuring that data access is provided only to authorised users and those with UMD or Assured computers

  • Annual review of users who have access to data to ensure that it is correct.

Data Owners and Data Project Managers have access to a report of all of their managed Group drives and Security groups. They can access it by going to their Halo home portal, select My reports and open the Group drive(s) on the list.

IFS Cost

IFS is paid for on a per TB basis. 1TB is £150 per year and will be billed to each department. UIS have graciously granted CSCS until July 2025 at no cost to give the School time to move into IFS and iron out any difficulties. When the renewal comes up each Data Owner will receive an email with information about paying for the licence and data.

IFS Data Quota

Data storage is purchased on a per TB basis. If your IFS drive gets close to its quota, the drives Data Project Manager will receive an email to that effect. You can instruct your users to do some housekeeping, or increase the space by going to this page https://selfservice.uis.cam.ac.uk/storage/IFS/

New Group Drives

Adding a new group drive can be done via the IFS Self Service portal by the Data Owner, or can be requested via CSCS.

First, check if you have some unallocated space you could use. Go to https://selfservice.uis.cam.ac.uk/storage/IFS/ and click on My Account. You should be able to see if you have any free space. Ideally you would allocate space in chunks of 1TB.

If you don’t have free space, click the Back button and create a quote and pay for the extra space.

Once there is sufficient free space, go to My Account to create a new project. (expand section below)

  1. Click here

image-20240905-065912.png

 

  1. Click here

image-20240905-065919.png

 

  1. Enter a Project name and change the size if more than 1TB required

 

  1. Click "Add a Project Manager"

 

  1. Add Data Project Managers by typing in their CRSids.

 

 

Data Classification Guidelines

Data should always be stored in accordance to the University’s https://help.uis.cam.ac.uk/service/security/data-sec-classes. IFS is suitable for Medium impact level 2 data.

CSCS Group Drive data recovery activities

All data has been moved from CSCS group drives to IFS. It now needs to be secured so that it can be made available to users with Assured computers.

Follow the steps below to prepare your data for your group/department to access.

Once migrated, each IFS drive has a single permission group applied to it. This means that any users in that permission group will have read and write access to all data in the group drive. Initially the Data Owner and Data Project Manager will be the only people with that access.

The Data Project Manager needs to review the data and identify any that needs to be locked down further. Please review the Permissions Models below and advise CSCS which one you choose for your data.

Permissions Models - Securing Your Data

For simplicity of management, the ideal is that all users with access to an IFS drive can access all data. If that is acceptable, go to Option1 below.

However sometimes more granular security is necessary. In this case, there are 4 options.

 

Option 1: All users with access to the group drive can see all the data

This is probably best suited for research group drives.

  1. Review data to confirm no additional permissions required.

  2. Once users have received their UMD computers they can be given access to their data. The procedure for giving access to users is found lower on this page.

Option 2: Secure the folders at the top level of the drive with additional security groups. Whilst it is technically possible to apply security groups at a lower level of a group drive, this is not recommended. Often what happens is that at a later date, the permissions that are hidden in a lower level folder are forgotten about and overwritten in error. CSCS and UIS recommend that data permissions are standardised and set permissions at the top level only. See IFS Data Owner and Data Project Manager Guidance | Example diagrams: for a graphical description of the this option.

  1. pro - once established can be self managed by the Data Project Manager and CSCS in future. Flexible and allows for efficiently securing small amounts of data (less than 1TB)

  2. con - requires more time to set up, document and maintain. Additional security groups must be set up by CSCS. Documentation must be kept by Data Project Manager and CSCS to capture which folders are secured and by what security groups.

Securing data with top level folders

  1. Create a list of all folders that will need to be at the top level.

    1. Dont create the folders on the drive in advance.

  2. Complete the Halo form under IT, Accounts & Access, Security on group drive folder.

    1. select Add

    2. select the group drive name (if it there are duplicates choose one of them and CSCS will find the correct name from our master list)

    3. In the Group Drive Folder field, add the name of the folder you want to be created and restricted. Ideally this will be a new folder - do not create it - we have an automated process that will do so. If you have several folders to be created, attach a spreadsheet to the ticket or put the list into the Additional Information field.

  3. CSCS will create the folders and the groups to be associated with them and advise the Data Project Manager when this is complete.

  4. The Data Project Manager will move the data into the new folder. Please note that it will take approximately 24 hours for data moved into a folder to be properly secured. This happens automatically after the data is moved or copied into a folder, but depending on the number of files it can take time to work through all of them.

  5. Users can be given access to the data once they have assured computers. The procedure for giving access to users is under development.

Option 3: Move selected data to a new group drive (called an IFS Project) This drive can either be secured with a single group as in Option 1 or have top level folder permissions as in Option 2.

pro - very easy to manage. There is a single group to add people into and they can see all of the data.

con - to make sense economically it should contain over 500GB of data as the minimum size is 1TB. If you only put 100 GB of data in it, the department will pay for the full 1TB (£150/y)

Moving data to a new IFS Project

  1. Create a list of the data that should be moved to a new IFS project.

  2. Request a new project be created - you can log this in Halo as a Generic Request.

    1. Indicate the department and licence name the project goes into

    2. Proposed name and purpose of the project

  3. CSCS will create a new IFS Project and advise you when it is done

  4. You should be able to see it under your folders and you can drag and drop the data into it

  5. Users can be given access to the data once they have assured or UMD computers. The procedure for giving access to users is under development.

Option 4: Move data to SharePoint - For small amounts of data you might want to consider moving it into Microsoft Teams/SharePoint. If the data is to be visible to an existing Team (in MS Teams) or a Teams channel this is simply a question of moving the file to right Files area for that Channel in SharePoint. You can enroll in the UIS SharePoint course for more information on how to do this (https://www.training.cam.ac.uk/ucs/event/5330021).

Example diagrams:

The diagram below gives an example of a fictitious group drive. It has 4 top level folders, and 2 sub folders. All users who are in the Security group for Everyone will have access to data in all of those folders.

The data from the example diagram above has been adjusted per the suggestions above. The Data Project Manager needs to indicate the security groups needed (purple text). Move the E. More HR data folder under A. HR and move F. HoD Confidential to the top level (green text)

Granting access to IFS data

It is the responsibility of the Data Project Manger to ensure only people who have a UMD or Assured computer are given access to IFS data.

For the most part, Data Project Managers will use a UIS web page called Toolkit https://toolkit.uis.cam.ac.uk/to add users to the appropriate security groups to be able to access group drive data. Instructions how to access are detailed below.

Colleagues who need access to the group drive must have a UMD or Assured computer. If they do, either the Data Project Manger can grant access, or the Data Project Manager/Data Owner can request via the CSCS Service Desk using this request form Clinical School Computing Service User Portal - Group Drive Access. If they do not have a UMD or Assured computer, first check if they have received an audit form from CSCS and have completed it. Secondly, have they received an invitation from CSCS to attend the Recovery Clinic. If any of those things have not happened, please contact the CSCS Service Desk and ask them to check where the person is within the process. If it is an urgent matter, please escalate with your Business and Operations Manager.

Procedure:

  1. Each user will determine which group drives they need access to and reach out to the relevant Data Project Managers.

    1. The list of group drives and Data Project Managers is here: https://www.staff.admin.cam.ac.uk/system/files/download/ifs-path-reference-list-all-drives.xlsx (please note that this a spreadsheet hosted on a UIS website. When you click this link it will open up a blank webpage and download the file, putting it in the downloads folder on your computer. If there are any errors, please advise CSCS. The file will be updated if changes are required).

  2. When a user asks for access to a group drive:

    1. Ensure that you have reviewed the group drive’s permissions and it has been implemented by CSCS

    2. Determine whether they should have access (you may need to speak with the Data Owner to confirm, or you may know from previous group drive configuration)

    3. Confirm the user has a UMD or assured device, using this look up tool - https://app.powerbi.com/groups/5c2484bc-b48a-4f87-a789-84945a43bed2/dashboards/16bd20f4-5dee-4f5d-8f39-7ce8adc68a87?ctid=49a50445-bdfa-4b79-ade3-547b4f3986e9&pbi_source=linkShare

      1. Click in either the User Name, User Email or Department field (see below) to do a search.

      2. Type in the name, or department name in the appropriate field you are looking for. If the user is not listed, they do not yet have a UMD device.

      3. If you are sure a user has a UMD device but you can’t find them on the list, try just their surname. People often display their initials instead of forename in the directory. Unfortunately you cannot search by CRSID.

  1. Go to the file https://www.staff.admin.cam.ac.uk/system/files/download/ifs-path-reference-list-all-drives.xlsx

  2. Find the drive

  3. Copy the primary security group name from column I

  4. Open Toolkit - https://toolkit.uis.cam.ac.uk/ - and follow instructions in the “Adding users to groups in Toolkit” section below.

  5. Send the user a message and include this link https://cscs-itsupport.atlassian.net/wiki/x/A4ATLg to tell them how to view the drive

  6. If you have chosen folder-level security for the drive;

    1. Go to the file https://www.staff.admin.cam.ac.uk/system/files/download/ifs-path-reference-list-all-drives.xlsx

    2. Look at the Permissions groups tab in the spreadsheet and find the permissions groups

    3. Find the name of the lookup group giving access to the entire group drive

    4. Proceed to Toolkit to add the users to the relevant groups (see the “Adding users to groups in Toolkit” section below)

Go to https://toolkit.uis.cam.ac.uk/ and sign in with your University account. ** If you cannot get access, please contact the CSCS Service Desk

Select Groups from the left side navigation bar

Select Hybrid AD Groups

 

 

Ensure that your institution has been selected (see screenshot below). If it has not, click the Select Institution drop-down and choose it. If you’re not sure which institution to choose, see this page Toolkit Institutions for a list.

In the Search (Filter) area type or paste in the name of a group

Select the group by clicking on it once

Click the Edit button

Click Choose users manually

Type or paste in the crsid you are adding. You can add more than one by separate them with spaces or commas.

Click Add to Group button

You should see the users added to the group by CRSID and full name. Check that you added the right individual. Once you are satisfied with the result, you can click the X to exit from the edit group dialogue.

The UIS guide to managing groups with Toolkit can be found here with more details: https://help.uis.cam.ac.uk/service/accounts-passwords/it-staff/university-central-directory/toolkit/how-use-toolkit/manage-1

Folder level file permission setup

If option 2 is chosen you will be advised by CSCS once the new secured folders are set up. When you receive the notification:

  1. The requester (usually a Data Project Manager) will be expected to move the files from the old location to the new folders that CSCS have created and secured.

  2. Open Windows Explorer and turn on hidden items. Do this by clicking View in the toolbar, select Show, select Hidden Items

  3. Open up two Windows Explorer windows - one with the old location and one showing the new

  4. Drag and drop files from the old to the new location

  5. If you see any errors, note them down and contact CSCS for assistance

  6. Confirm that the data was all copied

  7. Delete the old folder

  8. Wait 24 hours for the new permissions structure to be applied to all of the files you copied in

  9. You could now give access to other users with UMD computers per IFS Data Owner and Data Project Manager Guidance | Granting access to IFS data

More information

 

UIS IFS Service Information https://help.uis.cam.ac.uk/service/cloud-services/institutional-file-store-service-ifs

LinkedIn Learning training about data permissions: