THE INFORMATION IN THIS ARTICLE APPLIES TO:
DISCUSSION
EFT Workspaces provides a stellar solution to problem of allowing employees
to share working folders with internal colleagues and external partners,
leveraging the data room concept within the EFT framework to allow for
project collaboration, digital materials distribution, and more. The goal
of this article is to provide guidance on establishing proper license
management, security, control over who can create workspaces, and meeting
these goals without the need for administrators to manually create all
user accounts for third parties to participate.
For new EFT implementations, there are no legacy configurations to consider,
which simplifies the introduction of the Workspaces capabilities to employees
and partners alike. However, when an implementation already exists and
is well-known, there may be many considerations to take into account,
and those will likely differ from one scenario to the next.
With that in mind, the broadest recommendation is that there be
an additional site created, using the internally managed Globalscape EFT
user provider (known as a “GS site”), and that site should be dedicated
exclusively to Workspaces.
Rationale:
The foundational premise of the Workspaces functionality is to provide
a way for new or existing EFT customers to provide working folders for
collaboration. The nuances may differ based on use case, from an project
manager employee uploading a project folder to EFT and sharing it out
amongst colleagues and third parties participating in the project for
ongoing collaboration on project data through file transfers to and from
EFT, to a Channel Sales Manager uploading various pieces of marketing
material and selling guides and sharing them out in a read-only manner
to interested parties at new or prospective partner organizations, to
Enterprise Sales Managers creating a workspace for each opportunity and
inviting relevant internal and third party personnel to be able to add
new RFI revisions, retrieve updated quotes, and so on. The possibilities
are vast.
Implementation Details:
- Workspaces must be disabled on any other sites (unless enabled
on an AD/LDAP site for exclusively internal use, but this will count
against Workspaces licenses).
- Administrators must preemptively create the user accounts for internal
employees they wish to allow to create workspaces and invite new users
to participate.
- In the Workspaces configuration tab, allowing invitations to new
users must be enabled.
- Accounts created manually for employees should be placed in a separate,
non-default Settings Template (perhaps called “Employees” for example).
- Administrators will likely want to disable the “Grant full permissions
to users in their home folder” setting that is enabled by default
(see item C-iv below), instead explicitly checking the box
to enable this option during creation of employee accounts.
Key
Items of Note:
- Administrators are not able to control who may create workspaces.
- Workspace participation and invitation may only occur within the
site where the workspace was created.
- EXAMPLE: An employee in an LDAP site is not able to invite
a third party in a GS site to participate in a workspace, regardless
of whether that 3rd party already has an account in the GS site
or would need to have one created for them by virtue of accepting
a workspace invite.
- Accounts created by virtue of a workspace invite:
- are themselves able to create and manage their own workspaces,
which counts against licensing.
- can only invite other existing users to participate,
not net new users, in order to maintain a more secure implementation.
- will be added to whichever Settings Template is set as the
default.
- are treated as fully fledged users with the exception of item
ii (cannot invite net new users)
- EXAMPLE: A real home folder will be created for the user,
and if default options are selected then they will have full
access in that folder to do with as they please. Quotas
cannot be reliably leveraged to rein this in (see item D below).
- The contents of any workspaces in which a user participates in
any role count against that user’s disk quota.
- All other items required for EFT site operation must be acquired
or otherwise accounted for, such as:
- Internal IP address for EFT
- DMZ IP address for the DMZ Gateway
- External IP address for incoming connections from the internet
- A DNS entry to provide a host name for users
- External DNS published to resolve to the external IP address
- Internal DNS published to resolve to the internal IP address
- SSL certificate purchased for that DNS entry
- NAT/Firewall rules added to allow for communications at the
various levels of the network
- No whitelisting is possible or recommended, as legitimate
connections may come from anywhere in the world.
- DMZ Gateway profile created
- Storage provided for this separate Workspaces site
- Password complexity, inactive user removal, and other such
policies
- EFT administration delegated to the appropriate parties at
the appropriate level of access
- Incoming connection handling rules added to the load balancer
(if applicable)
- CIC integration rules added for AV/DLP scanning of files (if
applicable)
- Service/Port monitoring rules added (if applicable)