Planning Growth Management


Critical to planning your setup architecture is planning for growth. Expansion of hardware, software, network, location of services, and movement of data are all important issues to consider in advance.

Hardware and software should be visited first. For example, 500 users with home folders on one Xserve may be stretching your resources, especially if they all log in within 5 minutes of each other. Available RAM is another consideration. Mac OS X Server should be purchased, if not already owned, and just one copy is not enough. You'll want to make a clone of your directory for reasons you will learn later in this lesson, so plan on purchasing at least one extra copy of Mac OS X Server.

These are some examples of how you should plan for growth with respect to hardware and software. What about accounts? Should you develop an organization-wide account management plan? What benefits will you incur and at what cost? The benefits of this planning include a streamlined path to follow in the future, and fewer questions to answer on the fly.

However, planning comes at a price, which is additional time spent at the onset on the formulation of your plan. If you work in the educational environment, especially within K12, you are turning over students as they move from one grade to the next, and from one school to the next; as they transfer in, move away, and graduate; and so on. An early decision on how to handle these scenarios will make things easier to manage in the future.

Structuring Organization Management

When setting up your plan, decide how you will structure your server(s) to hold user account information. Students will need a top-level folder for their data. Teachers will need a top-level folder, and will also need read/write access to the student folders. School assistants and office workers will require a separate folder as well, and their access to teachers' and students' folders should be considered.

IT administrators need access to everythingor do they? Some administrators may be allowed to only read all folders and must request that new directories be created, leaving those folders to be created by another administrator. You should scope out all possible scenarios and carefully consider what the folder structure ought to be. Also consider where the folders will exist. How many servers do you have, and where are their locations?

In a business scenario, you take into account some of the newer legal ramifications of giving people unlimited read/write access to all accounts. Directory creation should be documented and limited to a few key individuals to minimize potential duplication of efforts, which can lead to user confusion.

When you are finished with the folder structure, you can move on to creating groups. Who should be a member of which group? Can you leverage the fact that Mac OS X Server can use nested groups?

A very basic school plan might look like this, with a total of 15 folders inside the allgrades folder, 8 folders inside the allstaff folder, and 3 folders in the allitstaff folder:

This folder structure, while basic, now requires access to be useful. Creation of groups must now be addressed based on your organizational plan. In this structure, you can create a group for every grade, for every teacher grade set, for other staff, and for IT staff. You can then nest these groups into larger groups and add specific users, such as attaching a first-grade teacher to the 1stgrade group. Again, a concrete plan, while taking longer to formulate, will pay off in the end and can be modified if needed.

Establishing Permissions

Now that you have a basic organization account management plan, what about ownership and permissions? Who will own which folders and what permissions will they have? Mac OS X and Mac OS X Server use both standard UNIX style permissions and Access Control Lists to manage ownership and permissions of folders.

Ownership and permissions are two separate issues, and Access Control Lists introduce yet another layer of planning into your environment (For more information on Access Control Lists, refer to Apple Training Series: Mac OS X Administration Reference Guide, Volume 1 and Apple Training Series: Mac OS X Server Essentials).

At the planning stage, you should layout your read/write permissions for each directory. An excellent guideline to follow is one of restriction: no access is allowed until absolutely necessary, and you document who has access and to which folders. You'll want teachers/project managers to have read/write access to almost all student/user folders, but you may wish to restrict read/write access to student/user folders for teachers/project managers who do not have direct contact with those students/users. Reducing access also allows you to trace back any attacks that may occur in the case of a student or user who obtains the user name and password of a teacher/project manager.

By default, with UNIX-style ownership and permissions, a folder can be associated with only one owner (it cannot be a group) and one group. Access to other folders can be changed, but this is the way UNIX-style permissions are structured in Mac OS X. Each "type" of account has read-only, write-only, read/write, or no access to any folder that the account is associated with, as seen below.

Also take into consideration that items copied to a folder using this permissions model can behave in two different ways:

  • They can inherit the permissions of the folder into which they are copied.

  • They can maintain their current permissions via the standard UNIX-style permissions behavior.

This decision is based on the Apple Filing Protocol (AFP) server that you have set up as a share point and is not set on each individual folder, unless that folder is also a separate share point. Therefore, creating an account management plan based on these limited ownership and permissions alone is going to be a tedious task. Use Access Control Lists and nested groups to ease the permissions limitations and gain greater control over your folder infrastructure.

The possible permutations using Access Control Lists for the folder structure.

Implementing Home Folder Management

The location of home folders is another piece of the planning puzzle. Will each user have a local home folder, or should the home folder exist on a server? Or should users have both types of home folders and periodically synchronize them? (Apple calls the last two scenarios Mobile Accounts, which will be discussed in Lesson 10, "Working with Mobile Accounts.")

If users are local, they will have local home folders. However, management and control are limited. Users in a remote database, such as an Open Directory master, can have their sessions managed and controlled, and their home folders located on the server. This has several benefits beyond just management of the account. Having the users' work data on the server requires just one server to be backed up every night, as opposed to many single machines. User data growth can be handled easily by moving a user's home folder to a larger drive or RAID array. Also, organizational challenges are easier to handle when users change groups, as their data is more likely to reside on the same physical volume(s).

However, network bandwidth must be available for all users to have an acceptable user experience. A network where each user has a 1 GB connection to her computer is the optimal scenario. If that cannot be achieved across all users, then users with the heaviest data requirements should receive the highest bandwidth.

Network home folders are created using Workgroup Manager, and several folders can be created at once for thousands of users, taking only a few minutes to do so on an Xserve.




Apple Training Series(c) Mac OS X v10. 4 System Administration Reference
Apple Training Series: Mac OS X v10.4 System Administration Reference, Volume 2
ISBN: 0321423151
EAN: 2147483647
Year: 2006
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net