4.4 Control Access to Settings and Controls with Reflection Administrative Tools

To prevent a user from changing a setting, you set the permission level for that setting or control to “Restricted.” When a setting is restricted, administrative access is required to change the setting. For example, you could restrict the users’s ability to modify security settings.

The following access file templates are distributed with Reflection Desktop:

This File

Controls access to…

actions.access

Reflection Desktop actions (for example, Auto Complete)

application.access

Reflection Desktop workspace settings

rd3x.access

Reflection Desktop 3270 terminal settings

rd5x.access

Reflection Desktop 5250 terminal settings

rdox.access

Reflection Desktop VT terminal settings

Individual permissions are merged in the following order (from highest to lowest):

  • Group Policy – user

  • Group Policy – machine

  • Local permissions file (.access)

Deploying local permissions (.access) files

Use the Reflection Permissions Manager tool to set local permissions and save them in .access files that you can deploy.

You can deploy user-specific access settings for any type of .access files. To deploy user-specific files, install the .access files to [AppDataFolder] The full path of the Roaming folder for the current user. The default is C:\Users\username\AppData\Roaming\. \Micro Focus\Reflection\Desktop\v16.1.

You can install some types of access configuration (actions.access or application.access files) for all users of the system. To deploy actions.access or application.access settings for all users, install these files in [CommonAppDataFolder] The full path to application data for all users. The default is C:\Program Data. \Micro Focus\Reflection\Desktop\v16.1.

NOTE:Settings files in the [CommonAppDataFolder] The full path to application data for all users. The default is C:\Program Data. location are copied to the [AppDataFolder] The full path of the Roaming folder for the current user. The default is C:\Users\username\AppData\Roaming\. location when the user opens the Workspace.

You can set permissions and create .access files by using the Permissions Manager with or without the Installation Customization Tool. When you use Permissions Manager with this tool, the tool automatically determines the correct location to install the required files. When you open Permissions manager and create .access files outside of the this tool, you’ll need to be sure the files are installed in the correct directory.

4.4.1 Specify Access Using Permissions Manager with the Installation Customization Tool

You can open Permissions Manager from the Installation Customization Tool to lock down access. When you use this approach, the resulting .access files are automatically added to the correct directory in the package (MSI file).

NOTE:These files are not saved to your local machine. They are saved only in your MSI database. To make changes to these files, you will need to use the same approach to edit them as you used to create them. You’ll need to open the MSI file in the Installation Customization Tool and then open Permissions Manager from the tool.

To set user and group access with the Installation Customization Tool

  1. From your administrative installation point, open the Installation Customization Tool from a shortcut or by typing the following command line:

    <path_to_setup> \setup.exe /admin

  2. In the Select Customization dialog box, select Create a new Companion installer.

  3. On the left pane, select Specify install locations.

  4. Under Installation type, select whether to install the settings to all users of a machine or only for the user who installs it.

    NOTE: Only actions.access and/or application.access files can be deployed to all users.

  5. In the left pane, select Modify user settings.

    NOTE:Under Application - Settings, the Permissions Manager displays groups of configurable items. These items are listed by their internal names, which may not exactly match the user interface item. The item's Accessibility indicates whether the user can configure the item (Full) or if administrator assistance is required to configure the item (Restricted).

  6. In the Make changes to user settings pane, select one of the .access options and click Define.

  7. In Permissions Manager, under Groups, select the group of settings you want to control access to (for example, Document\Connection\TN3270Basic).

  8. In the Items box, in the Accessibility column for the item (or items) you want to restrict, click Full and then select Restricted from the drop down menu.

    NOTE:The Accessibility drop down menu includes three items:

    • Full: All users can configure the item.

    • Restricted: Only administrators of the system can configure the item. These items have the Windows access shield added to their icons.

    • Read-only: No users of the system can configure the item. These items are grayed out.

  9. Under Additional security options, select how to control session file encryption:

    To do this

    Select

    Configure all sessions so that users can open only encrypted display session files.

    User can open only encrypted session files

    Configure all sessions so that users can save a display session only if it is encrypted.

    User can save only encrypted session files

  10. From the File menu, choose Save As and save the companion installer package.

    If you selected Installs only for the user who installs it when you specified install locations, the companion installer package automatically specifies to deploy this .access file to [AppDataFolder] The full path of the Roaming folder for the current user. The default is C:\Users\username\AppData\Roaming\. \Micro Focus\Reflection\Desktop\v16.1.

    If you selected Installs to all users of a machine, it specifies to deploy the .access file to [CommonAppDataFolder] The full path to application data for all users. The default is C:\Program Data. \Micro Focus\Reflection\Desktop\v16.1.

NOTE:

  • Make sure to set file access rights on .access files to prevent users from deleting, replacing, or editing them.

  • To deploy files to this folder, you will need to use a deployment tool that allows you to install the companion installer package as the user.

  • When accessing a setting via an API, such as executing a macro, a setting with restricted access cannot be modified. (When attempting to set a restricted setting via an API, an error is logged.)

4.4.2 Specify Access Using Permissions Manager

To prevent a user from changing a setting, you set the permission level for that setting or control to “Restricted.” When a setting is restricted, administrative access is required to change the setting. For example, you could restrict the users’s ability to modify security settings.

You can lock down access by running Permissions Manager (without using the Installation Customization Tool) to edit .access files. If you use this approach, be sure to deploy the customized .access files to the correct directory.

NOTE:Important: Be sure to set file access rights on .access files that you deploy to prevent users from deleting, replacing, or editing them.

To set access with Permissions Manager

  1. On a workstation to which you have installed Reflection, log on as administrator and in the Reflection Desktop install folder The default is \Program Files\Micro Focus\Reflection. , run AccessConfig.exe.

  2. When prompted to create a new permission file, or edit an existing one, choose Create new permission file.

  3. When prompted with a list of access file templates, choose the type of permission file to create.

  4. Under Groups, select the type of setting to control access to (for example, the Document\Connection\TN3270Basic group).

  5. In the Items box, in the Accessibility field for the item (or items) you want to restrict, click Full and then select Restricted from the drop down menu.

  6. If you are configuring rd3x.access, rd5x.access, or rdox.access files, under Additional security options, select how to control session file encryption:

    To do this

    Select

    Configure all sessions so that users can open only encrypted display session files.

    User can open only encrypted session files

    Configure all sessions so that users can save a display session only if it is encrypted.

    User can save only encrypted session files

  7. Be sure to deploy the .access files to the correct directory:

    To deploy settings that are user-specific, deploy the .access files to [AppDataFolder] The full path of the Roaming folder for the current user. The default is C:\Users\username\AppData\Roaming\. \Micro Focus\Reflection\Desktop\v16.1.

    To deploy settings for all users of a machine, deploy the .access files to [CommonAppDataFolder]\Micro Focus\Reflection\Desktop\v16.1.

IMPORTANT:

  • To deploy files to the [AppDataFolder] The full path of the Roaming folder for the current user. The default is C:\Users\username\AppData\Roaming\. folder, your deployment tool must allow you to install the companion installer package as the user.

  • Setting session encryption options in an .access file affects only the associated session type. For example, limiting users to opening only encrypted session files in rd3x.access only affects 3270 terminal session files, and not 5250 session files..

  • When accessing a setting via an API, such as executing a macro, a setting with restricted access cannot be modified. (When attempting to set a restricted setting via an API, an error is logged.)