|
<< Click to Display Table of Contents >> Navigation: DBWACLServer > DBWACLServer - DBWAclServerADM.TXT |
MechWorks DBWACLServer
A special file named DBWAclServerADM.TXT may exists side-by-side with the DBWAclServer executable or in %ProgramData%\MechWorks\DBWAclServer folder, for assigning default ACL values to special personalities.
The file may also contain some macro commands for implementing special behaviors and for logging the ACL-change activities to log files.
Lines starting with either of the following characters are considered comment lines and are ignored:
#
;
//
::
It is possible to declare more personalities that can have Full Control on the files managed by DBWServer.
The format is the following:
<group\user>[=permissions]
<group\user>[=permissions]
<empty line>
So, for example:
CompanyDomain\John.Hayes=F
CompanyDomain\Peter.York=RW
CompanyDomain\cax-externalGroup=CRW
CompanyDomain\ReadonlyGroupUsers=R
<empty line>
Where, if the equal sign (=) is present, the rest of the line defines the permissions, as a combination of the following characters:
F Full Control
C Change
R Read
P Change Permissions
O Take Ownership
X eXecute
E Read execute
W Write
D Delete
Can be declared for controlling special generic documents file types that, since of limitations in the driving application, must have full control when checked-out. Sometimes it may happen that some applications cant work correctly if the permission for deleting the working copy of the file is denied ( for example, Autocad is one of this ). In such cases, the Administrator can declare the file extensions that may cause problems to the relative applications when checked-out. The default extensions on which it is always granted full permission are .DWG, .MI and .ME
Suppose you need to grant full control (with the deletion, too) to files with extensions .ABC and .EFG.
The DBWAclServerADM.TXT file should be prepared as follows:
@FULL_PERMISSIONS_ON_CHECKOUT_TO .ABC .EFG
Enables verbose logging.
If defined, the entry
@DEBUG_LOG_FILES_FOLDER <output_folder>
sets a different location to create the log files.
The default log location is %ProgramData%\MechWorks\DBWAclServer\Logs
It is possible to declare that some Domain Groups have ACL permissions only on certain folders.
@ON_FOLDER <folder UNC path>,<domain>\<group>,<ACL permissions>
@ON_NOT_FOLDER <folder UNC path>,<domain>\<group>,<ACL permissions>
Suppose that group "MWDOMAIN\MW Shop" may have read permissions only on a specific folder \\MYSERVER\SHAREDDIR\SHOP\ (please note that the full UNC path must be assigned).
The declaration could be like:
@ON_FOLDER \\MYSERVER\SHAREDDIR\SHOP\,MWDOMAIN\MW Shop,R
The preparation of the global ACL permissions for the Group is typically done by hand, using Windows Explorer security; referring to the above sample, typically the MW Shop group would have all the rights DENIED everywhere; the above setting will allow the read-only permissions only for the folder \SHOP\ In the same way of the @ON_FOLDER, with the @ON_NOT_FOLDER directive it is possible to apply a specific permission for the Group everywhere except the assigned folder.
Starting from R17sp2.4 it is possible to declare that some info/warning/error messages from a specific function with its specific severity can be ignored if they match one of the provided matching strings
@IGNORE_ERROR <functionIDN> <severity> "<matching string 1>" "<matching string 2>" ... "<matching string N>"
Suppose you want to ignore this ACLServer message (from the DBWAclServer.log), which is actually not creating any issue to the ACL command:
...,ERROR,....,SetOwner,The call to SetNamedSecurityInfo for file/directory <\\servername\test\myFile.txt> failed with: This security ID may not be assigned as the owner of this object.
The declaration of the @IGNORE_ERROR could be like:
@IGNORE_ERROR SetOwner ERROR "SetNamedSecurityInfo" "security ID"
Specifying more items in the matching string set could lead to enlarge the number of messages to ignore, since the rule is verified when at least one of them is matching with the message string.
It allows to specify the path of an executable that will be asynchronously invoked every time DBWACL Server will modify the rights of a file (lock/unlock).
@POST_LOCK_UNLOCK_COMMAND <PathToExe>
@POST_LOCK_UNLOCK_COMMAND C:\PathToExe
If the tag is included, every time a file is modified by DBWACLServer the specified executable is invoked but the end of its execution is not waited.
The executable will receive as first parameter the UNC path of the modified file.