Creating Windows User Groups
Because axis diplomat is designed to use ‘client-server’ architecture, under normal operation users working on individual workstations do not need the ability to be able to modify files in the axis diplomat folders directly, instead all updating is performed by the server.
axis diplomat allows you to assign users into one of three Windows user groups; users (axis diplomat Users), supervisors (axis diplomat Supers), or administrators (axis diplomat Admins). Once these groups have been created on your Windows system and users assigned to the correct group, the axis diplomat SETUP program will automatically offer to apply security settings to its files and folders.
On a typical axis diplomat system, virtually all users can be assigned to the “axis diplomat Users” group. This means that they have no ability to modify any files within the axis diplomat folders, so, for example, if a virus-infected email was opened by such user, attempts by the virus software to delete or corrupt an axis diplomat file would fail.
Add everyone who needs to run axis diplomat to the "axis diplomat Users" group and then add only those operators who need to run axis diplomat in supervisor (single user) mode (for example to run period ends, data file size changes, backup or restore the axis diplomat data) to the "axis diplomat Supers" group. Only the user(s) who install axis diplomat software updates need to be a member of "axis diplomat Admins" and so you can usually restrict this to just the administrative account. Do not grant "axis diplomat Admins" membership to user accounts which are used on a day-to-day basis by real users. Restrict the user of accounts with administrative access to those used either by services or for system maintenance.
Note that if you are securing an existing installation, unless the appropriate users have been added to the appropriate groups and those users have re-logged into Windows to obtain their new access rights, those users will be denied access to all axis diplomat Programs and data. This can cause problems because for example users local shortcuts no longer point to an accessible location.
Remember to also REMOVE the "Everyone" group from access to the AXISDiplomat$ share.
Checking AXIS Operator Details
Use the axis diplomat Kernel Supervisor Functions \ Privacy & Shorthand Maintenance functions to ensure that all axis diplomat operators listed are in the Windows "axis diplomat Users" group and that all operators who have "Allow Supervisor Mode Operation" enabled are members of the Windows "axis diplomat Supers" group.
Applying File & Folder Permissions during SETUP
When the axis diplomat SETUP program is run to install or upgrade a non-demo system, it first checks whether a FAT format drive has been selected on a Windows 2003/2000 server, and if it has, the following warning message box is displayed:
The operator can then choose to abort the installation and use convert.exe to convert the partition from FAT to NTFS.
If an NTFS drive is selected, SETUP then checks to see whether the system being installed/upgraded has previously been secured. If it has, the following message box is displayed:
Permissions are reset to 'full access to everyone' if the operator selects 'No'. If axis diplomat is not currently secured the following message box is displayed:
If 'No' is selected, the following message box is displayed:
and installation proceeds without any file access permissions being applied.
If 'Yes' is selected and any of the AXIS security groups have not been set up, the following message box is displayed:
The operator can select 'Yes' once they have used the appropriate domain user administration tool to create the necessary Windows user groups.
Having done all this, the installation then proceeds as usual; once all the software has been updated, SETUP then reprocesses all files on the server to apply the necessary file access permissions as specified in the table below.
Note that full access is always available to all files and folders for members of the 'axis diplomat Admins' group and for the user account which was logged in when the axis diplomat SETUP program was run.
Folder / File |
Subfolders & Files? |
axis diplomat Users |
Specific Username |
axis diplomat Supers |
System* |
axis diplomat Admins |
\AXISDiplomat |
Yes |
Read |
None |
Change** |
Change |
Full |
\AXISDiplomat\*.EXE;*.DLL;*.PIF;*.BAT |
Yes |
Read |
None |
Read |
Read |
Full |
\AXISDiplomat\DATA |
Yes |
None |
None |
Change |
Change |
Full |
\AXISDiplomat\DATA\\ |
Yes |
Change |
None |
Change |
Change |
Full |
\AXISDiplomat\TEMP |
Yes |
Change |
None |
Change |
None |
Full |
\AXISDiplomat\LOGS |
Yes |
Change |
None |
Change |
None |
Full |
\AXISDiplomat\TEMPLATE |
Yes |
Read |
None |
Change |
None |
Full |
\AXISDiplomat\REPORTS |
Yes |
Change |
None |
None |
None |
Full |
\AXISDiplomat\REPORTS\ |
Yes |
None |
Full |
None |
None |
Full |
\AXISDiplomat\PROFILES |
Yes |
Change |
None |
Change |
None |
Full |
* 'System' is a built in Windows account. The System account is normally used to run the axis diplomat Services (AXIS File Manager & AXIS Queue Manager).
** 'Change' permission allows files to be read, written, executed or deleted. Windows Explorer describes this generic attribute as 'Modify' (although the Windows command line utility 'cacls' describes it as 'Change' (thanks Bill)).