- 1. The Basics
- 2. General references for the prerequisites
- 3. migRaven
- 4. 8MAN
- 5. Troubleshooting
Version 2: starting from migRaven Version 2.1.1042.2 and 8MAN Version 5.6.147 , As on: 20.11.2014
Image 1: Overview
1. The Basics
Objective of this manual is to configure migRaven and 8MAN in such a way that 8MAN takes over the authorization groups created by migRaven and works with these. The aim is therefore to design the authorizations in name and location in a way that 8MAN accepts the groups created by migRaven.
Numerous parameters for name format and storage location are affected. Defined values are given partly in a program, which must be set in another program. Scope so that more variants are possible exists partly in both the programs. Not all variants can be played through here, as a result I want to suggest a consistent and comprehensible exemplary solution. If several variants are available for selection, I will select a value for this exemplary solution, which leads to the same result in both the programs.
In order to ensure cooperation of migRaven and 8MAN, following prerequisites must be met:
a) same group type of the authorization groups to be generated
b) same storage location in AD for these groups
c) same name formation of the groups in both the programs
d) where should the list rights be set
e) protect authorization end point (Modify Plus and/or Restricted Modify)
2. General references for the prerequisites
a) The group type
While forming a name, following abbreviations are provided by migRaven for the three group types:
dl– for domain-local groups
u – for universal groups
g – for global groups.
In this manual, I have selected the domain-local groups as group type for the authorization groups. The selection of the group type is possible only at the beginning in case of 8MAN.
b) The storage location
The storage location of the 8MAN-groups to be created is an AD-OU (organization unit in the Active Directory). The authorization groups should be created and used by both the programs in the same AD-OU. I have provided the OUs “8MAN\servername” as storage location. In migRaven, only test.local/8MAN is specified, because an organization unit with the server name is automatically generated below it. In 8MAN, OU=win-server,OU=8MAN must be specified.
Here I would like to add that authorization groups can be moved without any problem to other OUs of the Active Directory. One can divide the authorization groups to several OUs. This is then sensible if there are corporate divisions, which are administered by single data owner. In case of a company, which is completely monitored by one or several administrators, one should consolidate the authorization groups in an OU. In case of a big company, in which administrators are responsible only for partial sections, the distribution of the authorization groups to several OUs can be meaningful.
c) The name formation
The group name is comprised of several elements connected by separators.
- Prefix – The prefix can be selected freely, in this example I choose “8MAN” as prefix.
- Group type – As group type, “dl” above was already favored for domain local groups.
- Version name – This does not appear necessary. It is however very helpful if one sorts as the name of the authorization groups in AD and if all groups have a version together. It can become problematic without the version name, if one has sub-directories under various versions. This leads to authorization groups with same name. And this does not work.
- Directory – Then follows the directory, it is mandatory in case of migRaven. It can be extended by version- and server names.
- Suffix for access rights – Abbreviations for the access rights are given as suffix. In case of migRaven, these short names can be changed in the new versions. Therefore it is now possible for migRaven to adjust to the settings of 8MAN. This suffix is mandatory just like the directory. Following access rights are given:
– List right – li
– read-execute – re
– read-write – w
– modify – m
– modify plus – mx (like modify, additionally moving and deleting the authorization end point is prevented)
– full control – f
- Separator – I have selected the underscore as separator.
- 7. If the group name exceeds a length of 60 characters, then the name is abbreviated to max. 60 characters. In addition to this, characters are removed from the middle of the name and replaced by the character “…” .
d) The list groups
The levels, in which list groups are created, must be same in case of both the programs. Here I would like to determine the levels 1 to 2 for these list groups. The creation of list groups on the share (level 0) is not possible in case of both the programs.
e) Modify Plus / Restricted Modify
Both the programs offer a rights configuration, which prevents the deletion of a directory, to which the user has modify rights. This should be used in case of both the programs. With the latest versions, both the programs use the same procedure. The modify-right to the directory to be protected is changed in such a way that instead of the authorization “Delete”, the authorization “Delete sub-folders and files” is set. This assures that the directory, to which this authorization is set, cannot be deleted.
a) Name conventions
The names of the authorization groups must be exactly generated same by migRaven and 8MAN.
The name in migRaven is configured under “Group configuration”. The rider “Type”, “Name”, “List-Right” and “Rights” are interesting.
b) The group type is determined under the rider “Type”
“And set up for the immediate use in 8MAN” assures that the group description is created 8MAN-conformal, so that the groups are recognized as 8MAN-groups – thus click.
Although three groups are given here, one should only consider domain-local groups and universal groups for the authorization groups. In this example, I select domain-local groups.
In the field “in the OU (canonical name):” the OU is determined in the AD, in which the authorization groups are stored. In case of migRaven, one is to consider the fact that an OU with the server name is automatically created under the specified name. As example, “test.local/8MAN” is entered. “test.local/8MAN/win-server” is then the AD-OU for the common authorization groups.
It is possible to prevent the automatic generation and use of an OU with the server name under the specified OU. You can set this in the migRaven.exe.config with the parameter “ServerOU”. But in case of each re-installation of migRaven, the parameter must be reset.
Image 2: Group type and storage location (AD-OU)
c) Under the tab “Name”, we create the group name
“8MAN” is entered as group prefix. This prefix can be changed, but it must be set to the same value in migRaven and 8MAN. Six elements are possible as component of the group names in case of migRaven. On “Server”, I would like to do without with an example. The “directories” and “suffix” are mandatory, thus cannot be selected.
Select the following 5 elements, whose order must be set exactly with the button “upward” and “downward”:
- Prefix (Group prefix: 8MAN)
- Group type (u,dl,g possible, we had selected domain-local)
- Directories (mandatory)
- Suffix (mandatory, and can be set under the rider “Rights”)
- The underscore, the hyphen or the space are possible as separators between the elements. I selected the underscore ‘_’ as separator.
- In the preview for the group name, one viewed: 8MAN_dl_<Version>_<Directories>_<Suffix>
Image 3: Group-Name
d) The tab “List-Right“
Under the tab “List-Right”, we enter, in which directory levels the explicit list authorization groups should be created. Among them the main authorization groups of the underlying authorization end point are used with the list rights.
We would like to form the list groups in the 1st and 2nd level.
Image 4: List-Groups
e) Under the tab “Rights”, the suffixes are determined
The suffixes are separators for the access rights of the authorization groups to be created. With this suffix, we recognize which access right the authorization group has. Under the rider “Rights”, we can determine these abbreviations. In our case, these must correspond with the ones in 8MAN. You can thus adjust migRaven to the settings in 8MAN.
The suffixes can be maximum 4 character long and suffixes with same name are not possible.
Do not forget to save.
Image 5: Permissions-Suffix
f) The Modify Plus-Right
In the image 5, we view a special right, the Modify Plus-right. It corresponds with the standard Modify-right, prevents however additionally moving and deleting the authorization end point by the user with modify rights. You can set this right in a targeted manner, at a location where you find it necessary. (Read more)
Not only the names but also the descriptions of the groups must be same. The authorization groups are stored in the Active Directory. For each authorization group, we find a description. This can be visible in the AD in case of group. This description is not only comment. It contains the name of the directories, for which the group was created and IDs for the marking. These IDs are important for 8MAN.
The directory specification in the description field must correspond with the future path; otherwise 8MAN does not take over this authorization group.
Image 6: Authorization group with the field „Description” in the AD. The directory name in the description field must correspond with the given path. Particularly the version name (marked here) is to be controlled.
a) Name conventions
All settings are carried out in the program “8MAN-Configuration”. Below the button “Change-configuration”, we find the one for “Fileserver”. In the „Basic settings“, we activate the Group Wizard. It automatically creates user groups (8MAN-groups), as soon as authorizations are changed with 8MAN.
b) The group type
As group type, we select domain-local groups, as in migRaven. This selection is possible only once. After saving the configuration the first time, the group type can no longer be changed!
The “Access categories” must correspond with those of migRaven:
f Full access
mx Restricted Modify (is described at the end of the documentation)
re Read and execute
li List folder content (only this folder)
Suffixes with same name are not possible.
Image 7: 8MAN-Suffixes
We adapt the “8MAN-Groups” with those of migRaven. We enter following group-specific characters: “g” for global groups, “dl” for domain-local, “u” for universal groups.
For list groups, we enter the group type in place of “li”, which we have provided for our authorization groups. In our example, thus “dl” for domain-local groups.
As separator, we select the underscore.
We change the list group suffix in “li” in place of “lst”.
Under the “Path application in the group names”, we configure the component “Path” in the group names. We take the “Path from server”. Both with migRaven and with 8MAN, one could add the server name. The path name should consist of “All directories”. In case of migRaven, this is mandatory and a shorter directory form is not possible. If the group name exceeds the length of 60 characters, it is reduced by both the programs to below 60 characters. In addition to this, characters are removed from the middle and replaced by the character “…” .
In the point “Name format”, we determine the order of the four name components. As in migRaven, we determine following order:
Group prefix x Group ID x Path x Category ID
As separator, we already selected the underscore.
We activate “Update name of 8MAN-Groups automatically in case of change actions”.
The preview for the group names shows us “8GP_g_Ordner1_Ordner2_Ordner3_Ordner4_f”. 8GP is the variable for the 8MAN-Group prefix. In the next section, we see how this variable is filled. The suffix (here “f”) varies depending on the given access categories.
Image 8: Name formation in 8MAN
c) Create storage location for 8MAN-Groups in the AD
Before we determine the group prefix, we will create the OU for 8MAN. In the AD, we create the OU “8MAN” and below it the OU “win-server” (OU=win-server,OU=8MAN) under the domain (for example test.local). If we worked before migRaven, these OUs would have to be made available.
d) Enter storage location and group prefix in 8MAN
In 8MAN, the name preview is displayed as group prefix “8GP”. This is a placeholder, which must be defined. For determining the group prefix and the AD-OU for storing the authorization groups, we must change the “8MAN-Configuration” to “Scans”. There in case of the domain „Insert details “. In the last record, which starts with „8MAN-groups are in…“; we can determine storage location and prefix of the authorization groups, which the administrator creates.
Here the OU is to be selected, under which 8MAN should create the generated authorization groups: OU=win-server,OU=8MAN. The 8MAN-group prefix (8GP), with which all authorization groups should begin, is determined in the lowest row: 8M.
Image 9: Call and enter the group storage location in the AD and the 8MAN-group prefix (8GP)
My Windows-Server has the name “WIN-PLTC1P179JB”. In the documentation, I use the name “win-server” for the server name for the sake of simplicity. Therefore the differentiation between documentations and screenshots.
e) List rights
In the program “8MAN-Konfiguration” under “Scans”, we open the file server downwards and enable the “Insert details”. In the penultimate record “List rights are automatically administered by 8MAN from directory level…”, we click the second word– “will”. Here the list rights can be configured:
We ensure the fact that the “List rights (display folder content) are automatically administered”.
We select the mode: “Direct list group-membership”.
List groups are generated starting with level 1 for 2 levels.
On the following levels, the 8MAN-groups of the underlying authorization end point are authorized with list rights for the respective directory.
Image 10: Call and settings for the list group formation
f) Restricted Modify
Here it aims to prevent the fact that the user equipped with modify-rights cannot move or delete its authorization end point.
Earlier 8MAN implemented it with additional list groups. We do not use this variant. Thus under “Directory level of an authorization change”, we disable the functions „Create list groups…“ and „protected directories …by an entry…for the list group“ (image 10).
Image 11: Restricted Modify in 8MAN
The new variant for protecting the authorization end point is called “Restricted Modify”. We find it under the button “Change-Configuration”, then “File server” and “Access categories”. This function corresponds with the one of migRaven. The suffix can be selected freely; here we use “mx”.
a) 8MAN generates group names with the appendix „_1“
Cause: There is already a group with the same name in AD.
The group with the same name exists in another OU of the AD. The storage-OUs of migRaven and 8MAN are not same.
Solution: The authorization groups, which migRaven generated, can be moved into the OU, in which 8MAN expects it, or set the storage location in 8Man, where the groups exists.
The group with the same name is in the same OU of the AD. The description of the groups is not same. The directory name in a group description is wrong. The directory name is inquired with the migration as version path and stored in the description while creating the authorization group in the AD.
Solution: Ensure correct directory names in the description of the groups.
b) 8MAN generates a new group, although a group with the same functions is already available
The content of the description field is not accepted by 8MAN.
If the group name exceeds a length of 60 characters, this name is reduced to max. 60 characters. Possibly migRaven and 8MAN do not shorten similarly. This should be however rectified.