You should be familiar with how NTFS permissions work before you attempt to understand the information in this document. Please refer to the Microsoft Windows Domain Administrator's Security Guide for an explanation of NTFS permissions.
TIMS3 provides a simplified method to administrating NTFS file permissions, however the Administrator must setup the initial TIMS3 file server root directories. The following section details the NTFS file permission requirements of TIMS3.
Once the initial TIMS3 file server permissions are assigned TIMS3 takes over assigning NTFS permissions through the use of what's called, a security model. The security model is defined on a grid as a series of user access rights (columns) that get defined for each of the TIMS3 object/datasets (rows), see figure below. The TIMS3 administrator defines the security model during the implementation phase and then rarely needs to change the model.
By defining the security model the administrator is ultimately setting what NTFS permissions that get applied to files created using TIMS3. TIMS3 applications like Project Navigator and Data Manager respect the security model settings whenever a user attempts to access a document (its database record or the actual file) for review or edit purposes.
As a basic requirement for proper functionality of the Windows NT TIMS3 File Server service, the builtin SYSTEM account must have Full access to the root directory of each of the NTFS data partitions on the file server. For example, if a TIMS3 File Server has data stored in d:\allfiles, e:\allfiles, f:\allfiles, etc., then the SYSTEM account must be granted Full access privileges to the d:\, e:\ and f:\ root directories. Additionally, each TIMS3 user will need to atleast read access to the root directories. Allowing the built-in "Everyone" account to have read access will satisfy this requirement.
The top level directory for all project folders, such as e:\allfiles, should have the following Domain security ACEs:
|
|
Domain User/Group Name |
NTFS Access Right |
|
|
SYSTEM |
Full Access |
|
|
Administrators |
Full Access |
|
|
Everyone |
Read |
By setting this during the setup of your TIMS3 File Server, the TIMS3 system can properly apply the required Domain security ACEs for all project folders (subdirectories) and files within those folders, since each of these objects will inherit the Domain security ACES of the immediate parent directory.
If you did not set this up at the onset of your TIMS3 File Server installation, and you now already have data files in place with specific user and group NTFS ACL profiles, then you can still apply these settings to all existing project folders and diskfiles. However, for most scenarios, you should NOT use the Windows Explorer to set the security permissions. The proper way to ADD these ACE entries is to use either the standard Windows Domain system32 utility called CACLS.EXE, or the more powerful XCACLS.EXE from the Windows Domain Resource Kit. Either of these two utilities may be used to edit the existing ACL profiles of files in a subdirectory tree.
An example usage of the utilities would be for a case where you need to add the SYSTEM account to have full access, and the Everyone account to have read access to all files and directories in the d:\allfiles tree. Use the following commands from a MSDOS command prompt to achieve this functionality:
CACLS d:\allfiles /e /t /g SYSTEM:F
CACLS d:\allfiles /e /t /g Everyone:R
These two commands will ensure that the existing ACL profiles on the files and folders remain entact, while adding the SYSTEM account to have Full access and the Everyone Account to have Read-only access. All new directories created below this branch will be created with a similar NTFS security profile (by inheritance). By allowing the Everyone account to have Read access to the folders and files, all users will at least be able to Copy Out files for review purposes (eg, MicroStation reference files, AutoCAD XREF files). If this is not the desired setup, and you do not wish all users to have read access to all files, then you should at least still have the Everyone account to have read access to the root directory.
Now, all existing subdirectories, and all new directories created below this branch will be created with a similar NTFS security profile (by inheritance).