Apply FS-specific change configurations

You can configure specific settings for each file server and configured shares:

  • the account used to make the changes
  • in which domain the ARM groups are stored
  • the Group Wizard Settings (access categories, group naming conventions, blacklist)
  • how the list rights are managed.

 

If you do not set any optional Group Wizard settings, the parent level settings will be used.

 

  1. Select the desired file server or share in the "Resources" area. How to add a file server is described in the chapter Add FS scans. Newly added file servers and shares do not have a configuration.
  2. Create a new configuration.

 

ARM shows you how many configurations exist below (arrow with number) and where they are (gear).

 

Configure the FS change account

Determine which account is used to apply changes to the selected file server resource.

If you don't enter credentials these will be requested in the ARM application.

 

Determine the domain for ARM groups

Select the domain in which the ARM groups are stored.

If you don't enter a domain, the ARM-groups will automatically be stored in the domain that the user has selected in the ARM application.

 

Configure automatic list rights management

The list right configuration includes several options for determining how ARM automatically ensures that users can navigate to the folders that they have access to.

Compared to Microsoft native tools you can avoid many cumbersome and error prone administrative steps.

 

Activate the automatic list rights management.

 

Use the sliders to determine the level of folder depth that ARM manages.

Level 0

Level 0 is the shared folder (share level). This folder is visible to users based on share rights. An assignment of list rights on this level is not required.

green levels

ARM creates list groups for every level. The access rights groups become members of list groups.

blue levels

ARM does not create list groups for these levels. Access groups are provisioned by entering list rights directly into the Access Control List (ACL). This way overall less groups are created and Kerberos token size is minimized. On the other hand more ACL entries are required which may cause file server performance issues.

 

Move the orange slider to exclude folder levels from the automatic creation of list groups. This is useful if users already have list rights to these folder levels.

 

Activate this option to prevent access rights changes with ARM below the lowest "list-rights-level" plus one (for example level 7, as in the screenshot).

You should activate this option to prevent users from gaining access to levels that they are not able to navigate to.

 

Select a list group mode.

This setting has no impact on Kerberos token size.

 

This option allows you to prevent permission changes to specific folder levels (keep it as parent for inheritance).

It is more beneficial to protect folder levels by assigning "restricted modify", as these require fewer group memberships.

 

Delete a FS-sepcific configuration

Click on the red X to completely remove the FS-specific configuration.