Triaster Server 2011 - Folder and File Permissions

 This article is suitable for an IT Adminstrator

Ref: 201402211540
Last Edited: November 27th, 2014
 

Default Permissions

When installed, the permissions on the Triaster Server folders and files would typically be as follows:
 
 Folder or File  Permissions
Triaster\

Inherited from the parent folder, and typically:

CREATOR OWNER: Special permissions
SYSTEM: Full control
Administrators: Full Control
Users: Read & execute, List folder contents, Read, Special permissions (This folder and subfolders - Create files / write data, Create folders / append data)

Triaster\TriasterServer2011\  As 'Triaster' +
 SYSTEM: Special permissions ('Full control' on this folder)
Triaster\TriasterServer2011\Alerts  As 'Triaster' +
    Authenticated Users: Modify (This folder, subfolders and files)
    SYSTEM: Special permissions ('Full control' on this folder)
    NETWORK SERVICE: Modify (This folder, subfolders and files)
Triaster\TriasterServer2011\BrowserToolkit  As 'Triaster' +
    Authenticated Users: Modify (This folder, subfolders and files)
    SYSTEM: Special permissions ('Full control' on this folder)
    NETWORK SERVICE: Modify (This folder, subfolders and files)
Triaster\TriasterServer2011\KeyotiSearch  As 'Triaster'
Triaster\TriasterServer2011\KeyotiSearch\IndexDirectory

 As 'Triaster' +
    Authenticated Users: Modify (This folder, subfolders and files)

Triaster\TriasterServer2011\Logs  As 'Triaster' +
    Authenticated Users: Modify (This folder, subfolders and files)
    SYSTEM: Special permissions ('Full control' on this folder)
    NETWORK SERVICE: Modify (This folder, subfolders and files)
 Triaster\TriasterServer2011\MapStore  As 'Triaster' +
    SYSTEM: Special permissions ('Full control' on this folder)
 Triaster\TriasterServer2011\Menupage Templates  As 'Triaster' +
    SYSTEM: Special permissions ('Full control' on this folder)
 Triaster\TriasterServer2011\MTopSearch  As 'Triaster' +
    Authenticated Users: Modify (This folder, subfolders and files)
    SYSTEM: Special permissions ('Full control' on this folder)
    NETWORK SERVICE: Modify (This folder, subfolders and files)
 Triaster\TriasterServer2011\ProcessLibraries  As 'Triaster' +
    Authenticated Users: Modify (This folder, subfolders and files)
    SYSTEM: Special permissions ('Full control' on this folder)
    NETWORK SERVICE: Modify (This folder, subfolders and files)
 Triaster\TriasterServer2011\PublicationFiles  As 'Triaster' +
    SYSTEM: Special permissions ('Full control' on this folder)
 Triaster\TriasterServer2011\PublicationTransforms  As 'Triaster' +
    SYSTEM: Special permissions ('Full control' on this folder)
 Triaster\TriasterServer2011\Queue  As 'Triaster' +
    Administrators: Special permissions ('Full control' on this folder)
 Triaster\TriasterServer2011\Re-index Document Store  As 'Triaster' +
    SYSTEM: Special permissions ('Full control' on this folder)
 Triaster\TriasterServer2011\reports  As 'Triaster' +
    SYSTEM: Special permissions ('Full control' on this folder)
 Triaster\TriasterServer2011\Services  As 'Triaster' +
    SYSTEM: Special permissions ('Full control' on this folder)
 Triaster\TriasterServer2011\Settings  As 'Triaster' +
    Authenticated Users: Modify (This folder, subfolders and files)
    SYSTEM: Special permissions ('Full control' on this folder)
    NETWORK SERVICE: Modify (This folder, subfolders and files)
 Triaster\TriasterServer2011\TemporaryFiles  As 'Triaster' +
    SYSTEM: Special permissions ('Full control' on this folder)
 Triaster\TriasterServer2011\Licence.xml  As 'Triaster' +
    NETWORK SERVICE: Full control
 


Modifying Permissions

Security could be tightened by removing the permissions for the generic 'Users' and 'Authenticated Users' groups, and perhaps replacing them with permissions for more specific groups. It should be emphasised that permissions for administrative groups and SYSTEM should be retained. Permissions then need to be added for particular accounts so that:
  • The websites continue to work.
  • Process mappers retain access to their files.
  • A Library Administrator can manage the library.
 
Permissions will be described that would need to be included for an authenticated user or group (denoted by <Authenticated User/Group>) if those generic permissions were removed.

Permissions will be in the context of a particular role, so a full set of permissions would need consideration of each of these.

Web Server Role

These will be the permissions needed for the websites to run properly.

Anonymous Authentication

If Anonymous authentication is enabled, <Authenticated User/Group> would normally be IUSR (in IIS 7.x) or a group that contained that user.

Windows or Basic Authentication

If Windows or Basic authentication is enabled, <Authenticated User/Group> would correspond to a user or a group representing those who would use the process library websites.

Permissions

In addition to those described above, permissions are required for the user account under which the Triaster web applications' application pool runs. This would usually be NETWORK SERVICE, but could be another account, such as an application pool's ApplicationPoolIdentity account.
 
 
 Folder or File  Permissions
 Triaster\Documents

 <Authenticated User/Group> - Read & Execute, List folder contents, Read

 NETWORK SERVICE - Read & Execute, List folder contents, Read

Note: A 'Documents' folder is typically in this location, but needn't be.

 Triaster\TriasterServer2011\BrowserToolkit

 <Authenticated User/Group> - Read & Execute, List folder contents, Read

 NETWORK SERVICE - Modify

  Triaster\TriasterServer2011\KeyotiSearch\IndexDirectory  NETWORK SERVICE - Read & Execute, List folder contents, Read
 Triaster\TriasterServer2011\Logs  NETWORK SERVICE - Modify
 Triaster\TriasterServer2011\Menupage Templates  NETWORK SERVICE - Read & Execute, List folder contents, Read
 Triaster\TriasterServer2011\MTopSearch

 <Authenticated User/Group> - Read & Execute, List folder contents, Read

 NETWORK SERVICE - Modify

 Triaster\TriasterServer2011\ProcessLibraries

 <Authenticated User/Group> - Read & Execute, List folder contents, Read

 NETWORK SERVICE - Modify

Note: This folder may contain a shared copy of the Process Navigator Properties XML file. If process mappers are to link directly to it, they would need appropriate read access.

 Triaster\TriasterServer2011\Queue  NETWORK SERVICE - Modify
 Triaster\TriasterServer2011\Re-index Document Store  NETWORK SERVICE - Modify
 Triaster\TriasterServer2011\reports  NETWORK SERVICE - Read & Execute, List folder contents, Read
 Triaster\TriasterServer2011\Settings  NETWORK SERVICE - Modify
 Triaster\TriasterServer2011\Licence.xml  NETWORK SERVICE - Modify
 

File Server Role

This relates to the process map Visio files.
 
Triaster\TriasterServer2011\
    MapStore\
        <Library>\
            Live Maps\
            Menu Pages\
            Prelive Maps\
            Sandpit Maps\
        Stencil, Template and Properties\
 
It will probably be a decision for the Library Administrator as to who should have access to what. Files editable by process mappers would be in the '<Site> Maps' and 'Menu Pages' folders. The 'Stencil, Template and Properties' folder may contain shared copies of the Visio template and stencil to which mappers would need at least read access. A shared Properties XML file may reside here, but may be elsewhere (in the 'ProcessLibraries' folder).

As an example, let's say that those who create and edit process maps are members of a 'Triaster Authors' security group. They will need to be able to create and edit maps in the Sandpit, and use the Visio template and stencil (and possibly a Properties XML file) in the 'Stencil, Template and Properties' folder. They could read content from elsewhere, but not change it. Library Administrators are members of a 'Triaster Library Administrators' security group, and will need read and write access to the whole of the map store.

 Folder or File  Permissions
 MapStore\

 'Triaster Authors' - Read & Execute, List folder contents, Read

 'Triaster Library Administrators' - Modify

 MapStore\<Library>\Sandpit Maps  'Triaster Authors' - Modify

Library Administration

This would be a typical set of permissions that would allow a Library Administrator to manage a process library, whether to make modifications directly, or to retrieve copies of files that may be requested by Triaster Support.

Again, a 'Triaster Library Administrators' group is used for illustration.

 Folder or File  Permissions
 Triaster\TriasterServer2011\Alerts\  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\BrowserToolkit\css  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\BrowserToolkit\images  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\KeyotiSearch\  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\Logs\  'Triaster Library Administrators' - Read & Execute, List folder contents, Read
 Triaster\TriasterServer2011\MapStore\  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\MTopSearch\  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\ProcessLibraries\  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\Queue\  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\Re-index Document Store\  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\Reports\  'Triaster Library Administrators' - Modify
 Triaster\TriasterServer2011\Settings\  'Triaster Library Administrators' - Modify

 

Need further help? Contact the Triaster Support team by e-mailing support@triaster.co.uk or by calling us on + 44 (0)870 402 1234.
 
Do you have any feedback or suggestions that you would like to share with Triaster? We would love to hear from you! Please e-mail feedback@triaster.co.uk