Of all the blogs that we publish, the ones which are my favourite to write are those stories whereby we have helped a customer or prospective customer to achieve something which the normal marketing materials or administration guides do not cover.
This weeks example is no exception.
A very important customer of ours which is based in Scandinavia uses Ipswitch MOVEit Transfer as their mechanism for distributing custom software which they write for their own customers. They user MOVEit because as a managed file transfer it is highly secure, auditable, reliable and because the software they provide is in some cases covered by ITAR.
If you don't know, ITAR is the international traffic in arms regulation, set out by the US to restrict and control the export of defense and military technology - including software and cryptographic materials.
Delegated MOVEit Administration
The problem for them was simple - not all of their customers were within ITAR scope and not all of their administrators are based in countries which are cleared for ITAR access. With one MOVEit managed file transfer system, they wanted non-ITAR cleared administrators, in this a team based in Romania, to be able to manage and maintain the system but not see customers in ITAR scope.
This seems simple enough, however within the realms of an administrator account, MOVEit is architecturally quite flat. On the face of it, administrators have carte blanche access to user accounts, folders and system settings.
One suggestion they had already explored was having two MOVEit solutions for ITAR and non-ITAR, however quite rightly this was dismissed as being both expensive and cumbersome.
Instead after listening to what they required, we came up with solution which we believe will help.
The first thing was to demote the Romanian administration team to regular user accounts, later we will apply very specific permissions which will enable them to complete their jobs. However, for now we had to ensure they did not have access to ITAR customers.
We then placed the Romanian administrator accounts (or a group of) at the root of the folder structure with folder administrator privileges, to provide them with administrator functions over folders and files which inherit from the root. Those ITAR folders would have inheritance turned off meaning the Romanian administrators would not have access.
With the folder permissions in place, we now needed to provide some way for the Romanian team to be able to administer user accounts, for functions such as user creation, password resets and email address changes.
To do this we created a group of all non-ITAR accounts in MOVEit and made the Romanian administrators group admins of this new group. This meant that they could interact with these accounts, change their passwords and even create new accounts - so long as they were added to this group.
This then cured the user administration portion of the problem.
Segregated ITAR Managed File Transfer
What the customer was left with was a system whereby all administrators including those in the Romanian team were able to administer the accounts and folders of non-ITAR controlled accounts. Yet those which were ITAR controlled, were only visible to administrators from the Scandinavian team.
It can be a lot to get your head around. I often tell people that both the blessing and the curse of MOVEit Transfer is configurability. There are literally hundreds of possible ways for the solution to be configured using various combinations of settings - but the rabbit hole can be deep.
In the end, I am glad that this customer spoke to us and asked for help as we have over ten years of experience with these types of solutions; and relish the opportunity to get our creative side buzzing with ideas on how to solve problems.
If you have a managed file transfer challenge; or use MOVEit managed file transfer solutions and would like some help from an award-winning provider. You can book a call with our product specialists today to discuss this further.