Table of Contents
- 1. The Basics
- 2. General references for the prerequisites
- 3. migRaven
- 4. 8MAN
- 5. Troubleshooting
Version 2: starting from migRaven Version 2.1.1042.2 and 8MAN Version 5.6.147, As on: 20.11.2014
Image 1: Overview
1. The Basics
Objective of this manual is to configure migRaven and 8MAN in such a way that 8MAN takes over the authorization groups created by migRaven and works with thesis. 8MAN accepts the groups created by migRaven.
Numerous parameters for name format and storage location are affected. Defined values are given partly in a program, which must be set in another program. Scope so that more variants are possible in both the programs. I want to suggest a consistent and comprehensible exemplary solution. If several variants are available for selection, I want to select a value for this exemplary solution, which leads to the same result in both the programs.
In order to ensure cooperation of migRaven and 8MAN, following prerequisites must be met:
a) same group type of authorization group to be generated
b) same storage location in AD for these groups
c) same name formation of the groups in both the programs
d) where should the list be rights be set
e) protect authorization end point (Modify Plus and / or Restricted Modify)
2. General references for the prerequisites
a) The group type
While forming a name, following abbreviations are provided by migRaven for the three group types:
dl- for domain-local groups
u - for universal groups
g - for global groups.
In this manual, I have selected the domain-local groups as group type for the authorization groups. The selection of the group type is possible only at the beginning in case of 8MAN.
b) The storage location
The storage location of the 8MAN groups to be created is AD-OU (Organization Unit in the Active Directory). The authorization groups should be created and used by both programs in the same AD-OU. I have provided the OUs "8MAN \ servername" as storage location. In migRaven, only test.local / 8MAN is specified because an organization unit with the server name is automatically generated below it. In 8MAN, OU = win-server, OU = 8MAN must be specified.
Here I would like to add that to OUs of the Active Directory. One can divide the authorization groups to several OUs. This is then sensitive if there are corporate divisions, which are administered by single data owner. In case of a company, which is fully monitored by one or more administrators, one should consolidate the authorization groups in OU. In case of a big company, in which administrators are responsible only for partial sections, the distribution of the authorization groups to several OUs can be meaningful.
c) The name formation
The group name is connected by separators.
- Prefix - The prefix can be selected freely, in this example I choose "8MAN" as prefix.
- Group type - As group type, "dl" above what's already in favor of domain local groups.
- Version name - This does not seem necessary. It is very helpful if one has the same name as the authorization group in AD. It can become problematic without the version name, if one has sub-directories under various versions. This leads to authorization groups with same name. And this does not work.
- Directory - Then follows the directory, it is mandatory in case of migRaven, It can be extended by version and server names.
- Suffix for access rights - Abbreviations for the access rights are given as suffix. In case of migRavenThese short names can be changed in the new versions. Therefore it is now possible for migRaven to adjust to the settings of 8MAN. This suffix is just like the directory. Following access rights are given:
- List right - li
- read-execute - right
- read-write - w
- modify - m
- modify plus - mx (like modify, thus moving and deleting the authorization end point is prevented)
- full control - f
- Separator - I have selected the underscore as separator.
- 7. If the group name exceeds a length of 60 characters, then the name is abbreviated to max. 60 characters. In addition to this, the characters are removed from the middle of the name and replaced by the character "...".
d) The list groups
The levels, in which list groups are created, must be in case of both the programs. Here I would like to determine the levels 1 to 2 for these groups. The creation of list groups on the share (level 0) is not possible in case of both the programs.
e) Modify Plus / Restricted Modify
Both the programs offer a rights configuration, which prevents the deletion of a directory to which the user has modify rights. This should be used in the case of both the programs. With the latest versions, both programs use the same procedure. The modify-right to the directory will be changed to "delete", the authorization "Delete sub-folders and files" is set. This assures that the directory is not deleted.
a) Name conventions
The names of the authorization groups must be exactly generated by migRaven and 8MAN.
The name in migRaven is configured under "Group configuration". The rider "Type", "Name", "List-Right" and "Rights" are interesting.
b) The group type is determined under the rider "Type"
8MAN-conformal, so that the groups are recognized as 8MAN-groups - thus click.
Although three groups are given here, one should only consider domain-local groups and universal groups for the authorization groups. In this example, I select domain-local groups.
In the field "in the OU (canonical name):" the OU is determined in the AD, in which the authorization groups are stored. In case of migRaven, one is to consider the fact that OU with the server name is automatically created under the specified name. As example, "test.local / 8MAN" is entered. "Test.local / 8MAN / win-server" is the AD-OU for the common authorization groups.
It is possible to prevent the automatic generation and use of an OU with the server name under the specified OU. You can set this in the migRaven.exe.config with the parameter "ServerOU". But in case of each re-installation of migRaven, the parameter must be reset.
Image 2: Group type and storage location (AD-OU)
c) Under the tab "Name", we create the group name
"8MAN" is entered as group prefix. This prefix may be changed, but it must be set to the same value in migRaven and 8MAN. Six elements are possible as component of the group names in case of migRaven, On "Server", I would like to do without with an example. The "directories" and "suffix" are mandatory, thus can not be selected.
Select the following 5 elements, whose order must be exactly with the button "upward" and "downward":
- Prefix (Group prefix: 8MAN)
- Group type (u, dl, g possible, we had selected domain-local)
- Directories (mandatory)
- Suffix (mandatory, and can be set under the rider "Rights")
- The underscore, the hyphen or the space are possible as separators between the elements. I selected the underscore '_' as separator.
- In the preview for the group name, one view: 8MAN_dl_ <version> _ <directories> _ <suffix>
Image 3: Group name
d) The tab "List-Right"
Under the tab "List-Right", we enter, in which directory levels the explicit list should be created. Among them are the main authorization groups of the underlying authorization.
We would like to make the list of groups in the 1st and 2nd level.
Image 4: List Groups
e) Under the tab "Rights", the suffixes are determined
The suffixes are separators for the access rights. With this suffix, we recognize which access right the authorization group has. Under the rider "Rights", we can determine these abbreviations. In our case, these must correspond with the ones in 8MAN. You can thus adjust migRaven to the settings in 8MAN.
The suffixes can be maximum 4 character long and suffixes with same name are not possible.
Do not forget to save.
Image 5: Permission suffix
f) The Modify Plus Right
In the image 5, we see a special right, the Modify Plus right. It is with the standard Modify-right, as well as moving and deleting the authorization end point by the user with modify rights. You can set this right in a targeted manner, at a location where you find it necessary. (Read More)
Not only the names but also the descriptions of the groups must be same. The authorization groups are stored in the Active Directory. For each authorization group, we find a description. This can be seen in the AD in case of group. This description is not only comment. It contains the name of the directories for which the group created and IDs for the marking. These IDs are important for 8MAN.
The directory specification in the description field must correspond with the future path; otherwise 8MAN does not take over this authorization group.
Image 6: Authorization group with the "Description" field in the AD. The version of the name given to the given name is marked.
a) Name conventions
All settings are carried out in the program "8MAN-Configuration". Below the button "Change-configuration", we find the one for "Fileserver". In the "Basic settings", we activate the Group Wizard. It automatically creates user groups (8MAN groups), as soon as they are authorized with 8MAN.
b) The group type
As group type, we select domain-local groups, as in migRaven, This selection is possible only once. After saving the configuration the first time, the group can no longer be changed!
The "Access categories" must correspond with those of migRaven:
f Full access
mx Restricted Modify (is described at the end of the documentation)
Read and execute
List List content (only this folder)
Suffixes with same name are not possible.
Image 7: 8MAN suffixes
We adapt the "8MAN-Groups" with those of migRaven, We enter following group-specific characters: "g" for global groups, "dl" for domain-local, "u" for universal groups.
For list groups, we enter the group type in place of "li", which we have provided for our authorization groups. In our example, thus "dl" for domain-local groups.
As separator, we select the underscore.
We change the list group suffix to "li" in place of "lst".
Under the "Path application in the group names", we configure the component "Path" in the group names. We take the "Path from server". Both with migRaven and with 8MAN, one could add the server name. The path name should consist of "All directories". In case of migRavenThis is mandatory and a shorter directory form is not possible. If the group name exceeds the length of 60 characters, it is reduced to 60 characters. In addition to this, the characters are removed from the middle and replaced by the character "...".
In the point "name format", we determine the order of the four name components. As in migRaven, we determine the following order:
Group prefix x Group ID x Path x Category ID
As separator, we already selected the underscore.
We activate "Update name of 8MAN Groups automatically in case of change actions".
The preview for the group names shows us "8GP_g_Ordner1_Ordner2_Ordner3_Ordner4_f". 8GP is the variable for the 8MAN Group prefix. In the next section, we see how this variable is filled. The suffix (here "f") varies depending on the given access categories.
Image 8: Name formation in 8MAN
c) Create storage location for 8MAN Groups in the AD
Before we determine the group prefix, we will create the OU for 8MAN. In the AD, we create the OU "8MAN" and below it the OU "win-server" (OU = win-server, OU = 8MAN) under the domain (for example test.local). If we worked before migRavenThese OUs would have to be made available.
d) Enter storage location and group prefix in 8MAN
In 8MAN, the name preview is displayed as group prefix "8GP". This is a placeholder, which must be defined. We need to change the "8MAN configuration" to "Scans". There in the case of the domain "Insert details". In the last record, which starts with "8MAN-groups are in ..."; we can determine storage location and prefix of the authorization groups, which the administrator creates.
OU = win-server, OU = 8MAN, which should create the generated authorization groups: OU = win-server. The 8MAN-group prefix (8GP), with which all authorization groups should begin, is determined in the lowest row: 8M.
Image 9: Call and Enter the Group Storage Location in the AD and 8MAN Group Prefix (8GP)
My Windows server has the name "WIN-PLTC1P179JB". In the documentation, I use the name "win-server" for the server name for the sake of simplicity. Therefore the differentiation between documentations and screenshots.
e) List rights
In the program "8MAN Configuration" under "Scans", we open the file server downwards and enable the "Insert details". In the penultimate record "List rights are automatically administered by 8MAN from directory level ...", we click the second word "wants". Here the list can be configured:
We ensure the fact that the "List rights (display folder content) are automatically administered".
We select the mode: "Direct list group-membership".
List groups are generated starting with level 1 for 2 levels.
On the following levels, the 8MAN groups of the underlying authorization end point are authorized with list rights for the respective directory.
Image 10: Call and settings for the list group formation
f) Restricted Modify
It does not purport to delete its authorization end point.
Earlier 8MAN implemented it with additional list groups. We do not use this variant. Thus under "Directory level of an authorization change", we disable the functions "Create list groups ..." and "protected directories ... by an entry ... for the list group" (image 10).
Image 11: Restricted Modify in 8MAN
The new variant for protecting the authorization is called "Restricted Modify". We find it under the button "Change Configuration", then "File server" and "Access categories". This function with the one of migRaven, The suffix can be selected freely; here we use "mx".
a) 8MAN generates group names with the appendix "_1"
Cause: There is already a group with the same name in AD.
The group with the same name exists in another OU of the AD. The storage OUs of migRaven and 8MAN are not same.
Solution: The authorization groups, which migRaven in which 8MAN expects it, or set the storage location in 8Man, where the groups exists.
The same name is in the same OU of the AD. The description of the groups is not same. The directory name in a group description is wrong. The directory name is inquired with the migration as the path and stored in the description while creating the authorization group in the AD.
Solution: Ensure correct directory names in the description of the groups.
b) 8MAN generates a new group, although a group with the same functions is already available
The content is not accepted by 8MAN.
If the group name exceeds a length of 60 characters, this name is reduced to max. 60 characters. possibly migRaven and 8MAN do not short-cut similarly. This should be rectified.