Triaster Server 2011 - Folder and File Permissions
Default Permissions
When installed, the permissions on the Triaster Server folders and files would typically be as follows:
| Folder or File |
Permissions |
| Triaster\ |
Inherited from the parent folder, and typically:
- CREATOR OWNER: Special permissions
- SYSTEM: Full control
- Administrators: Full Control
- Users: Read & execute, List folder contents, Read, Special permissions (This folder and subfolders - Create files / write data, Create folders / append data)
|
| Triaster\TriasterServer2011\ |
As 'Triaster' +
- SYSTEM: Special permissions ('Full control' on this folder)
|
| Triaster\TriasterServer2011\Alerts |
As 'Triaster' +
- Authenticated Users: Modify (This folder, subfolders and files)
- SYSTEM: Special permissions ('Full control' on this folder)
- NETWORK SERVICE: Modify (This folder, subfolders and files)
|
| Triaster\TriasterServer2011\BrowserToolkit |
As 'Triaster' +
- Authenticated Users: Modify (This folder, subfolders and files)
- SYSTEM: Special permissions ('Full control' on this folder)
- NETWORK SERVICE: Modify (This folder, subfolders and files)
|
| Triaster\TriasterServer2011\KeyotiSearch |
As 'Triaster' |
| Triaster\TriasterServer2011\KeyotiSearch\IndexDirectory |
As 'Triaster' +
- Authenticated Users: Modify (This folder, subfolders and files)
|
| Triaster\TriasterServer2011\Logs |
As 'Triaster' +
- Authenticated Users: Modify (This folder, subfolders and files)
- SYSTEM: Special permissions ('Full control' on this folder)
- NETWORK SERVICE: Modify (This folder, subfolders and files)
|
| Triaster\TriasterServer2011\MapStore |
As 'Triaster' +
- SYSTEM: Special permissions ('Full control' on this folder)
|
| Triaster\TriasterServer2011\Menupage Templates |
As 'Triaster' +
- SYSTEM: Special permissions ('Full control' on this folder)
|
| Triaster\TriasterServer2011\MTopSearch |
As 'Triaster' +
- Authenticated Users: Modify (This folder, subfolders and files)
- SYSTEM: Special permissions ('Full control' on this folder)
- NETWORK SERVICE: Modify (This folder, subfolders and files)
|
| Triaster\TriasterServer2011\ProcessLibraries |
As 'Triaster' +
- Authenticated Users: Modify (This folder, subfolders and files)
- SYSTEM: Special permissions ('Full control' on this folder)
- NETWORK SERVICE: Modify (This folder, subfolders and files)
|
| Triaster\TriasterServer2011\PublicationFiles |
As 'Triaster' +
- SYSTEM: Special permissions ('Full control' on this folder)
|
| Triaster\TriasterServer2011\PublicationTransforms |
As 'Triaster' +
- SYSTEM: Special permissions ('Full control' on this folder)
|
| Triaster\TriasterServer2011\KeyotiSearch\Queue |
As 'Triaster' +
- Authenticated Users: Modify (This folder, subfolders and files)
|
| Triaster\TriasterServer2011\Re-index Document Store |
As 'Triaster' +
- SYSTEM: Special permissions ('Full control' on this folder)
|
| Triaster\TriasterServer2011\reports |
As 'Triaster' +
- SYSTEM: Special permissions ('Full control' on this folder)
|
| Triaster\TriasterServer2011\Services |
As 'Triaster' +
- SYSTEM: Special permissions ('Full control' on this folder)
|
| Triaster\TriasterServer2011\Settings |
As 'Triaster' +
- Authenticated Users: Modify (This folder, subfolders and files)
- SYSTEM: Special permissions ('Full control' on this folder)
- NETWORK SERVICE: Modify (This folder, subfolders and files)
|
| Triaster\TriasterServer2011\TemporaryFiles |
As 'Triaster' +
- SYSTEM: Special permissions ('Full control' on this folder)
|
| Triaster\TriasterServer2011\Licence.xml |
As 'Triaster' +
- NETWORK SERVICE: Full control
|
Modifying Permissions
Security could be tightened by removing the permissions for the generic 'Users' and 'Authenticated Users' groups, and perhaps replacing them with permissions for more specific groups. It should be emphasised that permissions for administrative groups and SYSTEM should be retained. Permissions then need to be added for particular accounts so that:
- The websites continue to work.
- Process mappers retain access to their files.
- A Library Administrator can manage the library.
Permissions will be in the context of a particular role, so a full set of permissions would need consideration of each of these.
Web Server Role
These will be the permissions needed for the websites to run properly.
Anonymous Authentication
If Anonymous authentication is enabled, Authenticated User/Group would normally be IUSR (in IIS 7.x) or a group that contained that user.
Windows or Basic Authentication
If Windows or Basic authentication is enabled, Authenticated User/Group would correspond to a user or a group representing those who would use the process library websites.
Permissions
In addition to those described above, permissions are required for the user account under which the Triaster web applications' application pool runs. This would usually be NETWORK SERVICE, but could be another account, such as an application pool's ApplicationPoolIdentity account.
| Folder or File |
Permissions |
| Triaster\Documents |
- Authenticated User/Group - Read & Execute, List folder contents, Read
- NETWORK SERVICE - Read & Execute, List folder contents, Read
- Note: A 'Documents' folder is typically in this location, but needn't be.
|
| Triaster\TriasterServer2011\BrowserToolkit |
- Authenticated User/Group - Read & Execute, List folder contents, Read
- NETWORK SERVICE: Modify
|
| Triaster\TriasterServer2011\KeyotiSearch\IndexDirectory |
- NETWORK SERVICE: Read & Execute, List folder contents, Read
|
| Triaster\TriasterServer2011\Logs |
|
| Triaster\TriasterServer2011\KeyotiSearch\Menupage Templates |
- NETWORK SERVICE: Read & Execute, List folder contents, Read
|
| Triaster\TriasterServer2011\MTopSearch |
- Authenticated User/Group - Read & Execute, List folder contents, Read
- NETWORK SERVICE: Modify
|
| Triaster\TriasterServer2011\ProcessLibraries |
- Authenticated User/Group - Read & Execute, List folder contents, Read
- NETWORK SERVICE: Modify
- Note: This folder may contain a shared copy of the Process Navigator Properties XML file. If process mappers are to link directly to it, they would need appropriate read access.
|
| Triaster\TriasterServer2011\Queue |
|
| Triaster\TriasterServer2011\Re-index Document Store |
|
| Triaster\TriasterServer2011\reports |
- NETWORK SERVICE: Read & Execute, List folder contents, Read
|
| Triaster\TriasterServer2011\Settings |
|
| Triaster\TriasterServer2011\Licence.xml |
|
File Server Role
This relates to the process map Visio files.
Triaster\TriasterServer2011\
MapStore\
Library\
Live Maps\
Menu Pages\
Prelive Maps\
Sandpit Maps\
Stencil, Template and Properties\
It will probably be a decision for the Library Administrator as to who should have access to what. Files editable by process mappers would be in the 'Site Maps' and 'Menu Pages' folders. The 'Stencil, Template and Properties' folder may contain shared copies of the Visio template and stencil to which mappers would need at least read access. A shared Properties XML file may reside here, but may be elsewhere (in the 'ProcessLibraries' folder).
As an example, let's say that those who create and edit process maps are members of a 'Triaster Authors' security group. They will need to be able to create and edit maps in the Sandpit, and use the Visio template and stencil (and possibly a Properties XML file) in the 'Stencil, Template and Properties' folder. They could read content from elsewhere, but not change it. Library Administrators are members of a 'Triaster Library Administrators' security group, and will need read and write access to the whole of the map store.
| Folder or File |
Permissions |
| MapStore\ |
- 'Triaster Authors' - Read & Execute, List folder contents, Read
- 'Triaster Library Administrators' - Modify
|
| MapStore\Library\Sandpit Maps |
- 'Triaster Authors' - Modify
|
Library Administration
This would be a typical set of permissions that would allow a Library Administrator to manage a process library, whether to make modifications directly, or to retrieve copies of files that may be requested by Triaster Support.
Again, a 'Triaster Library Administrators' group is used for illustration.
| Folder or File |
Permissions |
| Triaster\TriasterServer2011\Alerts\ |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\BrowserToolkit\css |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\BrowserToolkit\images |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\KeyotiSearch\ |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\Logs\ |
- 'Triaster Library Administrators' - Read & Execute, List folder contents, Read
|
| Triaster\TriasterServer2011\MapStore\ |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\MTopSearch\ |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\ProcessLibraries\ |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\Queue\ |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\Re-index Document Store |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\Reports\ |
- 'Triaster Library Administrators' - Modify
|
| Triaster\TriasterServer2011\Settings\ |
- 'Triaster Library Administrators' - Modify
|
|