Defining user rights Windows

Before you can start Transfer CFT from the Transfer CFT Copilot server, the Copilot server must be started. Additionally you will need rights to log on to this server. The overall process requires that you:

Define rights before starting the Transfer CFT UI server

To be able to start the Transfer CFT Copilot server you must give each Windows user read and write rights for the Transfer CFT installation folder as follows:

  1. Right-click the Transfer CFT program folder.
  2. Select Properties.
  3. In the Properties window, select the Security tab.
  4. In the Security tab, select the user and grant the user read and write rights. Click OK.

Additionally, if you want to start the Transfer CFT GUI server as a service with a user account, instead of the local system, it must have Log on as a service authority.

  1. In a dos command window, type secpol.msc to open the Local Security Policy window.
  2. Select Security Settings > Local Policies > User Rights Assignment.
  3. Double-click Log on as a service.
  4. Click Add user or group and define.

You can opt to control the file-access permissions and the batch execution environment by setting the UCONF copilot.misc.createprocessasuser identifier as follows:

  • no: Any user who logs on the Transfer CFT GUI server will have their processes identified as the user who started the Transfer CFT Copilot server.
  • yes: Any user who logs on the Transfer CFT GUI server will have their processes identified as their own.

Define rights before logging on the Transfer CFT UI (Copilot) server

copilot.misc.createprocessasuser

PassPort AM

status

Rights to define

 

no

Not activated No need to set rights. All Windows users can log on to the Transfer CFT GUI server.

no

Activated

If PassPort AM is activated, you must use a PassPort AM user to log on. Check if the AM user has the rights to manage Transfer CFT.

yes Not activated

The Windows user who is going to log on the Transfer CFT UI server, must have read and write rights for Transfer CFT install folder.

Some user rights must be assigned to the user who launched the Transfer CFT UI server to permit other Windows users to log on. This is true except if it is the local system account when working in the service mode. The user rights to assign are:

  • Adjust memory quotas for a process
  • Impersonate a client after authentication (only on Windows 2008)
  • Replace a process level token
  • Create a token object

To define user rights:

  1. In a dos command window, enter lusrmgr.msc to open the system users list. Check available users.
  2. In a dos command window, enter secpol.msc to open the Local Security Policy window.
  3. Select Security Settings > Local Policies > User Rights Assignment.
  4. Double-click the required right.
  5. Click Add user or group and define.
  6. Close and re-open the Windows session to take into account the modifications.
yes Activated

Some user rights must be assigned to the user who starts the Transfer CFT UI server to allow other Windows users to log on, unless it is the local system account working in service mode. The user rights are:

  • Adjust memory quotas for a process
  • Impersonate a client after authentication (only on Windows 2008)
  • Replace a process level token
  • Create a token object
  1. In a dos command window, type lusrmgr.msc to open the system users list. Check available users.
  2. In a dos command window, type secpol.msc to open the Local Security Policy window.
  3. Select Security Settings > Local Policies > User Rights Assignment.
  4. Double-click the required right.
  5. Click Add user or group and define.
  6. Close and re-open the Windows session to take into account the modifications.

Additionally, the user who wants to log on the Transfer CFT UI server must exist both in the Windows system and PassPort AM. The Windows system performs the user authentication, and PassPort AM checks the other rights.

Note: The PassPort user name is case-sensitive.

Define rights before starting Transfer CFT

The Windows user who is going to log on the Transfer CFT GUI server requires read/write rights for Transfer CFT install folder, defined as follows:

  1. Right-click the Transfer CFT program folder.
  2. Select Properties.
  3. In the Properties window, select the Security tab.
  4. In the Security tab, select the user and grant the user read and write rights. Click OK.
  5. The same user name must exist in PassPort AM, and is allowed to manage Transfer CFT.

Note: The PassPort user name is case-sensitive.

Define domain user

Transfer CFT supports domain user accounts, which allows a service to use Windows service security features.

File action executed for applicative users

To enable for file actions, check that the USERID user has access to the transfer destination directory. To do this, copy the rights from the user's rights table and create a token object.

Post-transfer procedure executed for applicative users

To enable for post-transfer procedures, check that the USERID user has rights to execute end-of-transfer procedures. To do this, copy the rights from the user's rights table and create a token object.

Define folder rights

To be able to start the Transfer CFT server and the Transfer CFT GUI server (Copilot), you must give each user read and write rights for Transfer CFT as follows:

  1. Right-click the Transfer CFT program folder.
  2. Select Properties.
  3. In the Properties window, select the Security tab.
  4. In the Security tab, select the user and grant the user read and write rights. Click OK.

Service mode login

If you are working in service mode, you must have Log on as a service authority.

  1. In a dos command window, type secpol.msc to open the Local Security Policy window.
  2. Select Security Settings > Local Policies > User Rights Assignment.
  3. Double-click Log on as a service.
  4. Click Add user or group and define.

Define system user access

System user enabled

If copilot.misc.createprocessasuser=yes in UCONF , or Createprocessasuser=yes in [MISC], the user starting the Transfer CFT Copilot server must do the following tasks to allow other users to log on. Additionally, those users must exist in the Windows system users list.

  • Adjust memory quotas for a process
  • Simulate a client after authentication (only on Windows 2008)
  • Replace a process level token

Procedure

  1. In a dos command window, type lusrmgr.msc to open the system users list. Check available users.
  2. In a dos command window, type secpol.msc to open the Local Security Policy window.
  3. Select Security Settings > Local Policies > User Rights Assignment.
  4. Double-click the required right.
  5. Click Add user or group and define.

PassPort AM is activated

If PassPort AM is active (am.type=PassPort in UCONF), the user must exist both in the Windows system users list and PassPort AM users list. The Windows system user performs the authentication, and PassPort AM performs the other rights checks.

Note The PassPort user name is case-sensitive.

System user deactivated with PassPort AM management

If copilot.misc.createprocessasuser=no in UCONF, all system users have the right to log on.

  • PassPort AM is activated
  • If PassPort AM is active (am.type=PassPort in UCONF), you must be a defined PassPort AM user to log on.
Note The PassPort user name is case-sensitive.

Related topics

About PassPort AM

UCONF parameters

Related Links