Make sure no shares have been set to the Windows 2003 default "read-only" (look in the Share tab) or it will override the permissions you set in the Security tab.
For more information, review the topics in the Index and Table of Contents to the left. If they are hidden, click <--Show Navigation Pane.
An ACL (access control list) is a property of every file and folder in Microsoft's NTFS file system. An access control entry (ACE) is an element in an access control list (ACL). It allows an administrator to limit the access to given files to a selected group of users. The ACLs of a file or folder can be set from the Security tab of the file or folder's properties, which can be accessed by right-clicking on the file or folder.
|
Make sure no shares have been set to the Windows 2003 default "read-only" (look in the Share tab) or it will override the permissions you set in the Security tab. |
WAFS/CDP fully supports ACLs; therefore, you can set the security of each file (i.e., set the access rights) exactly like in NTFS on the Security tab.
Because the software runs under SYSTEM account credentials, the "user" SYSTEM must have full access rights to the replicated files and folders. On the Security tab, make sure SYSTEM is listed with full control. Failure to give the SYSTEM account full control of every file and folder results in users or applications not being able to access, move, or otherwise modify these files and folders.
For each Job, one Agent must be selected as the Source, and its ACLs will be projected to the Job on all other Agents linked to the same Job.
Granting Full Access to Everyone
In Windows Explorer, right click the top-level folder of the Job, then click Properties.
The Properties dialog box appears. Click the Security tab.
Allow full control to Everyone and to SYSTEM.
Select Advanced, choose Replace permissions entries on all child objects, then click OK.
For example, suppose you create a new folder in a Job, and want to give users jsmith and jjones full access to the folder and to all the files that would be stored in it. In NTFS, you would open the Security tab, then add user jsmith and jjones. You would do the exact same thing with the WAFS folders, but you must also include the "user" SYSTEM and give it full access.
ACL Replication Direction
The ACL Security Manager allows you to replicate between Agents the Windows security settings for all files and sub-folders in the displayed linked folder.
To specify replication direction
On a computer on which the Agent is installed, in the system tray, click the Agent icon 
, then click Job Properties and Options.
Click the Change Options tab. The Change Options tab allows you to control various aspects of the selected Job.
Click Sync Security ACLs. The ACL Security Manager dialog box appears.
Specify whether the current Agent is the master (ACL Source) or the slave Agent (ACL Target) that receives the data. If your replication mode is unidirectional (CDP), the direction of the ACL copy is automatically set from master to backup slave.
Specify whether you want the ACLs to replicate automatically whenever they are changed on the master (Auto), or select Manual and click Start to replicate once. On all slave Agents, select Auto. ACL replicating in Manual mode updates the AVmgr file. The targets attempt to read the AVmgr file approximately every 30 Minutes. Manual is recommended when you have a large number of files.
Limiting Access to a Selected Group of People
This is similar to the previous example, except that instead of Everyone, you would have to include the list of people and groups that are allowed to access the volume; ensure SYSTEM is included and has full control on every file and folder.
Registry Keys
When the source Agent is configured for automatic ACL replication, the source Agent checks for ACL changes every 30 minutes (by default). The default value of 30 minutes can be changed by a registry key named ACLP_src_cycle. (It is an integer value and the unit is minutes.) After each ACL check, the source Agent calculates the duration to process the ACL, and multiplies it by a factor of 10 (by default), compares this new value to the cycle time defined in ACLP_src_cycle, then chooses the larger value as the new cycle time. The default factor of 10 can be changed in a registry key named ACLP_src_factor.
The new cycle is formulated as: Max (ACLP_src_cycle, Duration * ACLP_src_factor)
On the target side, the default cycle is controlled by ACL_trg_cycle and the default factor is controlled by ACLP_trg_factor. Each of these registry key REG_DWORDs are per-Job based and are located in HKey Local Machine/SOFTWARE/AVAILL/AvaillClient/I/S/[servername]/V/[jobname]/.
For these registry keys to take effect, the Agent must be restarted after you create or change them.
Change Options Tab (Sync Security ACLs)