Permission restrictions on file access

Just a note that I thought people might find useful. When trying to restrict access so that users could not download primary representations from fcsvr by simply dragging an asset out of the FCSvr window onto their desktop I found that regardless of what kind of restriction I placed on a user, I couldn't stop the user from being able to download the full-res primary rep. (Note: this client had all files located on XSAN or edit-in-place devices.) When I went home and tried again across the VPN connection everything worked as originally planned. I got
ERROR: E_SECURITY Action copy_from on address /dev/6/EHN/PRH0567-DrDanielVaknin_03.mov is not permitted, due to security restrictions.
Which is what I was looking for in the first place. The lesson is, know that edit-in-place access to a device overrides FCSvr permissions on the availability of an asset to a user for downloading. FCSvr figures that because the person has edit-in-place capabilities that whatever permissions that user has to the file are already setup through XSAN.
Just thought I'd pass that tidbit along.
-- Jason Perr
MacHarmony

I agree with the behavior you have observed, but I think the explanation is a little simpler. It's not because FCSvr "figures that because the person has edit-in-place capabilities" that FCSvr should allow Xsan's permissions to override its own. It's because when there are EIP capabilities, FCSvr can't restrict access.
When dragging from the interface, FCSvr can deliver the content in one of two ways:
1. If it is not a device that is providing EIP access (the EIP path is set but is not accessible by the client), then the Java server is responsible for passing the content to the Java client, and it has a chance to control the access.
2. If it is a device that is providing EIP access, then the device is already mounted via the operating system and the OS controls access. So FCSvr is just pointing to a file that the user (presumably) already has permissions to read (and copy) by accessing it directly through the Finder or Terminal.
So it's not that enabling EIP access overrides FCSvr permissions as much as it sidesteps it to deliver the content over the fastest channel, that of the device mounted directly through the OS.
This is where careful use of ACLs in conjunction with FCSvr permissions can help restrict access. Unfortunately there are a lot more ways to control authorization from within FCSvr than are easy to map to ACLs, and one could accidentally remove access from people who should have it.
It would be interesting to script dynamic user-by-user ACL adjustments to underlying media based upon changes to the metadata and FCSvr permissions settings.

Similar Messages

  • Safe Protection of file access by all means

    Hello,
    we currently in an implementation project we we get delivered sensitive denormalised data from special ledger.
    Denormalised means in this case that we post transaction data and master data attributes in one file.
    This is done due to technical reasons. For example if you have 1 million transaction data and 1 million master data
    we speak about one trillion reads, which will be tear down performance in any case.
    On development and test system we are currenlty in middle to get an anonymizatin solution on board.
    For produtive enviroment we have to access the files via ABAP in order to validate them.
    In SU21 (Overview authorisation objects) I found the authorisation object S_DATASET (see attachment)
    which seem on a first sight suitable,  but it the authorisation object have to by a ABAP programm over the function module AUTHORITY_CHECK_DATASET, which means every developer can develop an ABAP programm without the function module by accident or without. In both cases it means unlimeted access the files.
    I'm looking for a more kernel based authorisation for file access.
    Additionally it should be common sense to restrict to transactin AL11. 
    + How can we protect the files in our productive enviroment by all means?
    + Are other threats beside ABAP programms for the files in our scenario?
    We are on BW 7.0 SP23 / Basis 7.00 SP21 and ABAP 7.00 SP21. We are running on OS SunOS.
    Regards & Thanks,
    Guido Brune
    Documentation on S_DATASET:
    Definition
    Authorizations for accessing files from ABAP/4 programs.
    You use this object to assign authorizations for accessing operating system files (with the ABAP/4 key word OPEN DATASET, READ DATASET, TRANSFER and DELETE). This key word can also be used to assign the authorization for using operating system commands as a file filter.
    In ABAP/4 programs, you perform the authorization check with the function module AUTHORITY_CHECK_DATASET.
    Defined fields
    The object consists of the following fields:
    ABAP/4 program name: Name of the ABAP/4 program that contains the access. You can restrict the file access to a few known access programs.
    Activity: Possible values:
    33: Normal file read
    34: Normal file write or deletion
    A6: Read file with filter (operating system command)
    A7: Write to a file with filter (operating system command)
    File name: Name of the operating system file. Here, you can restrict the accessible files.

    I think securiing the file path using SPTH table and S_PATH authorization object still make sense as an additional level of security check. Not sure if I am complicating things but seems to me these basic steps needs to be taken care of -
    1. OP should find the file path where sensitive data would reside ..for  example say /tmp/sensitive_files
    2. Update table SPTH with this path and SAVEFLAG as X and FSBRGRU as the authorization group named for these files.
    3. Make sure t-codes that can update tables are restriced in Production such as SM30 / SE16 / SE17 so that nobody can
        change this table. Again restricting S_TABU_DIS as well.
    4. Controlling the programs that have ability to read and write to these sensitive files by using S_DATASET object by updating the
        field for program name and file path for the sensitive files in this object.
    5. Giving access to S_PATH and S_DATASET to users who really need to have access to this file path and programs that can access these files. 
    S_PATH will help because suppose some previous security administrator has given S_DATASET object in any role with Wild card access but without S_PATH they still will not be able to update the file.
    > "What happens when the program lets the user define the directory path for the inbound file, and another lets the user define the directory path for reading the dataset?"
    >
    The following setting restrict ABAP programs to access any files on the application server apart from those in the path u2018(/tmpu2019).
    PATH       SAVEFLAG         FS_NOREAD      FS_NOWRITE     FSBRGRU
            *       BLANK              X                                  X                              BLANK
           /tmp       BLANK          BLANK             BLANK                                BLANK
    So technically you can control paths which can be accessed by the ABAP programs.
    Edited by: Nishant Sourabh on Sep 13, 2010 10:48 PM
    Edited by: Nishant Sourabh on Sep 13, 2010 10:50 PM

  • How to restrict users to access the files directly from /irj/go/km/docs/doc

    Dear Experts,
    I have made a folder in KM where I have saved some files, and also I have made a application from where user can access those files.
    But the users are able to access the files by directly typing the path of the file in internet explorer, I have to restrict it that the user should not be able to access the files directly.
    Please give your helpful suggestions.
    Warm Regards
    Upendra Agrawal
    Edited by: Upendra Agrawal on May 15, 2009 4:49 PM

    Hello,
    You can have a link/button react to a mouse clic by reading the KM document and putting it on the htpp flux with the correct header (this is the same kind of code that is used when you generate the pdf). As the file access is in you server-code, user will not have access to the URL...
    an exemple for the WD Java (coming from this [PDF|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0cc41cb-9576-2b10-99a6-ab90ef28c73b]), with slight modifications :
    public void exportToPDF( ) {
       //@@begin exportToPDF()
       ByteArrayOutputStream outputStream = null;
       outputStream = new ByteArrayOutputStream();
       // read the file with KM API and copy it to the outputStream
       showPopUp(WDWebResourceType.PDF, outputStream, "PDF Out Put");
       outputStream.close();
    //@@end
    regards
    Guillaume

  • Whenever I close down Photoshop CS5 I get the message: "Could not save Preferences because the file is locked or you do not have the necessary access privileges. Use the get info command in Finder to unlock the file or change permission on the file or enc

    Whenever I close down Photoshop CS5 I get the message: "Could not save Preferences because the file is locked or you do not have the necessary access privileges. Use the get info command in Finder to unlock the file or change permission on the file or enclosing folders." What on earth does it mean? How can I stop this message from appearing?

    See here:
    I cannot save recent images.

  • Problem with default file access permission

    Hi,
    I am accessing a common area '/NFS_DATA' by both my java and oracle codes by the users 'javaUsr' and 'oraUsr' respectively.
    As per the requirement, the oracle code (oraUsr) needs to create some file in the specified location and then the java code (javaUsr) needs to update those files (created by oraUsr) with some new data.
    At present scenario the 'oraUsr' creates files with default access permission 644, which does not permit 'javaUsr' to update them.
    Constraints : I am not supposed to set umask at the .profile of 'oraUsr'.
         Execution of any shell script from oracle procedure is not permitted.
    Is it possible to specify file-system specific default file access permissions??
    Any idea to overcome this issue??

    Hi,
    I am accessing a common area '/NFS_DATA' by both my
    java and oracle codes by the users 'javaUsr'
    and 'oraUsr' respectively.
    As per the requirement, the oracle code
    (oraUsr) needs to create some file in the
    specified location and then the java code
    (javaUsr) needs to update those files (created
    by oraUsr) with some new data.
    At present scenario the 'oraUsr' creates files
    with default access permission 644, which does
    not permit 'javaUsr' to update them.
    Constraints : I am not supposed to set
    umask at the .profile of 'oraUsr'.
    Execution of any shell script from oracle
    oracle procedure is not permitted.
    Is it possible to specify file-system specific
    default file access permissions??
    Any idea to overcome this issue??You might like to try using File ACLs
    man setfacl(1)
    as oraUsr
    setfacl -s user:oraUsr:rw-,user:javaUsr:rwx,group::r--,other:---,mask:rwx file
    This way the oraUsr can not execute file
    but javausr can
    getfacl will show the ACL
    user::rw-
    user:javaUsr:rwx #effective:rwx
    group::rw- #effective:rw-
    mask:rwx
    other:---
    hope this helps a bit

  • File access Permission numeric value 640

    Hi,
       I am picking up the files from one ftp directory. The file has access permission with value 640. When I am connecting to FTP Server with user id & passwrd I can move the files from from the directory to Arch directory. But  when I am testing this with XI it is showing error in Adapter monitoring as "FTPEx: 11260001.bwh: The file access permissions do not allow the specified action".Any suggesting on this.
    Regards,
    Daniel.LA

    Check this and this should solve your problem
    https://www.sdn.sap.com/sdn/collaboration.sdn?node=linkFnode6-1&contenttype=url&content=https:///message/589420#589420 [original link is broken]

  • I've just opened iTunes on my Mac with an error "The iTunes Library.itl file is locked, on a locked disk, or you do not have write permission for this file.". I created a shirred library so that all users on my Mac can access the same library. Help?

    I have just opened ITunes on my Mac and the following error occurred "The iTunes Library.itl file is locked, on a locked disk, or you do not have write permission for this file.". When I setup my Mac I created a shared user area to contain my ITunes library so that I could share it with another user logged onto my Mac. However the error above gives me the impression that the library file is locked... I've checked and it does not seem to be locked under the "get info" fie information. Has anyone come across this before and found a solution?

    You also need to make sure you have both read and write permission for the file, or for the whole iTunes folder for that matter.  That's also done in Get Info for the file or folder concerned.
    Read the part about changing permissions on the iTunes folder in: https://discussions.apple.com/message/11583914

  • Manually add hidden Shares to Microsoft UAG File Access - You do not have permission

    Have made little progress adding hidden shares for Home Folder access, followed steps listed here
    http://itcalls.blogspot.ca/2012/10/manual-add-of-shares-to-microsoft-uag.html
    Manually entered the server and share name into "ShareAccessCfg.xml", activated the configuration once the shares showed up in file access console.
    However, our users still cannot access their Home Folder.
    Error displayed internally:
    Message displayed externally:

    We finally figured out what might be the cause, seems our hidden file shares are hosted on Windows Server 2012 R2 which uses SMB 3.02 dialect, looking into the server manager a little deeper we noticed that the shares had SMB encryption enabled which is
    not supported on server 2008 R2 / UAG...

  • TS1717 unes, i have windows 8, i get the message, "the itunes Library .itl file is locked, on a locked disk, or you do not have write permission for this file.  how did this happen, how do i fix this?

    the message"The itun, library .itl file is locked, on a locked disk, or you do not have write permission for this file". i have windows 8. how why did this happen? how do i correct this and prevent another occurance?  I am able to access itunes on my i5, ipad, and my old i4 that i use solely as my ipod now. At the time  problem occurred, i was connected to ext hard drive that hold over 190GB music, to add to my library. I am now unable to add to my library using my laptop.  any advise/help is greatly appreciated!!

    I just had the same problem and was able to fix it after trying a couple of things I found after a search.
    The solution that worked for me:
    Find iTunes folder - it should be in C:\Program FIles (x86) or similar depending on your operating system
    Right click the entire folder (no need to open it) and click properties
    Click the security tab
    Click edit and highlight the user name under which you logged in.
    Click the box next to full in the allow column, which should check everything
    Click apply
    Open iTunes
    This worked for me.

  • Error/warning message "you don't have permission to modify files in this network location"

    Hi,
    We have a windows server 2008 running, and we access it via remote desktop. And there's this certain folder that all users access, and where we save important files. So, since this is where important files are stored, we wanted to disable deletion (and if
    possible moving) of the folder and everything under it. However, it's harder than i thought. Right now, we have the permissions "Delete" and "Delete files and subfolders" disabled already, BUT when we try to save a file to this folder,
    we got this warning/error message:
    "You don't have permission to modify files in this network location"
    The file is saved however, but there's no content. But when we try to cut/copy an existing file to this folder, it works.
    Does anyone know how a workaround on this issue. I've already spent days configuring the settings, and when one works, another issue comes up. This is really frustrating.
    Thank you.

    Hi,
    What are NTFS Permissions and Share Permissions of the shared folder? If you remove delete permissions, when someone tried to create a new folder, they couldn't rename it. Without Delete permission, we can open, modify a file and save with the same file name
    but cannot create a new file with a new name.
    For more detailed information, please refer to the thread below:
    NTFS Permissions Question - Allow creation but not deletion
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/3335a9b3-d49a-42f0-970a-3fe44b551274/ntfs-permissions-question-allow-creation-but-not-deletion
    Best Regards,
    Mandy 
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Sql agent job getting file access denied error

    I'm not sure if this question belongs in this forum. Please move it if you want to.
    Here is my question. I have an ssis package that is running into an error at the file system task trying to move a file. The package is deployed to the catalog and I am running the package using the stored procedure
    [SSISDB].[catalog].[start_execution] @execution_id
    When I execute this stored proc in Management Studio while logged in under a sysadmin, everything works fine. But when I call the same TQL in SQL Agent job, I get a file access denied error. This has something to do with the id that is getting used
    to run the package and I am not sure how to track that down. Any help would be appreciated.
    I've check the windows permission on both the id that is running the SQL Agent and SQL SSIS Service. Both seem to have the right windows permission.

    Please see:
    http://support.microsoft.com/kb/918760

  • MaxDB KNLDIAG file access denied

    Hi,
    I'm a DBA recently assigned to support MaxDB database (ver 7.6) used by
    SAP Content Server in our windows 2003/32 bit environments.
    Initially, our windows support group granted the DBA group access to
    the files on E:\sapdb\data\wrk\CD1 where the KNLDIAG and other files
    are allocated. We were able to view the KNLDIAG file when errors
    occurred.
    However, when the database instance is placed offine and back online,
    we loose access to the KNLDIAG file, but not the other files on the
    same directory/subdirectory.
    Can you explain what is happening?
    Is MaxDB doing something behind the scenes?
    What can be done so that we don't loose access to this file?
    I would appreciate any help you can provide.
    Regards,
    Bill

    Hi Bill!
    > I'm a DBA recently assigned to support MaxDB database (ver 7.6) used by
    > SAP Content Server in our windows 2003/32 bit environments.
    > Initially, our windows support group granted the DBA group access to
    > the files on E:\sapdb\data\wrk\CD1 where the KNLDIAG and other files
    > are allocated. We were able to view the KNLDIAG file when errors
    > occurred.
    > However, when the database instance is placed offine and back online,
    > we loose access to the KNLDIAG file, but not the other files on the
    > same directory/subdirectory.
    >
    > Can you explain what is happening?
    Yes, no problem!
    > Is MaxDB doing something behind the scenes?
    Of course not - it's well documented
    Unlike Oracle MaxDB does not use the same file all the time to write out the error messages.
    Instead, with every restart the last file 'KLNDIAG' (and/or 'KNLMSG'  in more recent versions) is renamed to 'KNLDIAG.OLD'. If there is already an 'KNLDIAG.OLD' this file is gone afterwards.
    Then a new file is 'KNLDIAG' is created by the MaxDB Kernel with the default permission of the folder.
    Usually these are dictated by the Windows account that runs the MaxDB-Service.
    If you did not change this, this would be the "local systemaccount".
    On my test system this results in default permissions that allow members of "Adminstrators", "Backup Operators", "System" and of course the "Owner/Creator" to access the file.
    > What can be done so that we don't loose access to this file?
    Simple: if you want to access it via OS tools, make sure that the user is a member of the "Administrators" or the "Backup Operators" group.
    If you don't want to do that, just use the file access via the DBMGUI or DB Studio (or DBMCLI) to get access to the file.
    regards,
    Lars
    p.s.
    Maybe you didn't notice that by now - the KNLDIAG file is not simply written at the end of the file, but consists of a startup header part and a body which is cyclically overwritten.
    For any newbies I cannot overstate the importance of reading the documentation [http://maxdb.sap.com] and/or get a training for it (SAP course ADM 515 really pays of here...)

  • The iTunes Library.itl is locked, on a locked disk, or you do not have write permission for this file.

    I just had to reset my entire laptop to factory settings, therefore my original iTunes was erased, leaving my iPhone 4 no accessibility for new music. I had to download CopyTrans so that I could transfer all things on my iPhone 4 onto my new iTunes. It said it transfered properly, but when I try and open iTunes,"The iTunes Library.itl is locked, on a locked disk, or you do not have write permission for this file." pops up. Please help.
    Thanks, Breanna

    I just had the same problem and was able to fix it after trying a couple of things I found after a search.
    The solution that worked for me:
    Find iTunes folder - it should be in C:\Program FIles (x86) or similar depending on your operating system
    Right click the entire folder (no need to open it) and click properties
    Click the security tab
    Click edit and highlight the user name under which you logged in.
    Click the box next to full in the allow column, which should check everything
    Click apply
    Open iTunes
    This worked for me.

  • FTP file adapter: file access permissions do not allow the specified action

    Hi,
    I have the File to JDBC scenario. The file is extracted in AL11 folder of the Sending (BW) system.
    The folder is FTP enabled and the Unix admin says he has given full authorization to both the folder and ftp user.
    But in the File CC I get the following error "Could not process due to error: com.sap.aii.adapter.file.ftp.FTPEx: 550 TSMSACAIX5350.tar.gz: The file access permissions do not allow the specified action."
    Can some one advice what is wrong. Im pretty much sure it has to be a problem with the UNIX permission. But the unix admin person says he has given a full permission.
    I need to know what permissions needs to be given??  Is there different permissions for application level and OS level??
    Pls advice
    Thanks
    Prasanna

    >
    Prasanna Shanmugasundaram wrote:
    > Hi,
    > I have the File to JDBC scenario. The file is extracted in AL11 folder of the Sending (BW) system.
    > The folder is FTP enabled and the Unix admin says he has given full authorization to both the folder and ftp user.
    > But in the File CC I get the following error "Could not process due to error: com.sap.aii.adapter.file.ftp.FTPEx: 550 TSMSACAIX5350.tar.gz: The file access permissions do not allow the specified action."
    >
    > Can some one advice what is wrong. Im pretty much sure it has to be a problem with the UNIX permission. But the unix admin person says he has given a full permission.
    > I need to know what permissions needs to be given??  Is there different permissions for application level and OS level??
    >
    > Pls advice
    >
    > Thanks
    > Prasanna
    In CC you set ON the delete mode, after processing file? Maybe, the file have read only permission....

  • Problems with third party package and file access

    I am using a third party package that allows me to decode
    multipart forms that I use to upload files to our server.
    I have been able to write my own code (JSP) that both reads and
    writes to our filesystem. However, when I try to upload a file
    using the third party package the method I am using fails with
    the following IO exception: The error message is "access is
    denied." But the files get written and are usable (even binary
    files). I have checked the directories and all the dirs I am
    writing to have read, write and execute permission.
    I have access to the code so when I duplicate the actual
    methods used for writing (FileOutputStream.write(foo)) in my
    JSP, it writes fine without exceptions. In fact, I use
    FileOutputStream.write() in other code and it works fine. My
    question is: why would FileOutputStream work in packages we have
    developed and not in a third-party package. I have added the
    codebase and filePermissions to <weblogic_home>\weblogic.policy
    without any changes.
    I am running WLS 5.1 and NT 4.0 with SP5.
    Does this problem sound familiar to anyone?
    thanks for any and all help,
    saulj

    HI Mike,
    If you have third party Document Management System, then you can post two different message, i.e. service order in transaction details of the third party tool with link to document which would be posted to third party Document management server.
    If you don't have third party document management system and what to use sap infrastructure, then you don't need to maintain attachment, maintain the link between the third party tool and SAP document repository, with some login utilities.
    Best Regards,
    Pratik Patel.
    Reward with points if it is of any help to you!

Maybe you are looking for

  • Scrollable TextBox with large text

    Hi I am using a TextBox in my windows phone silverlight app. My requirement is to put a really large text in that textbox. in that case I want that to be scrollable. So I have put that in a ScrollViewer. But my text is clipped after a particular leve

  • Problem changing email address

    All I wanted to do was update my email address.  Went to Profile and entered the new email.  Then it said postal code was required, so I put that in.  Then it said my password was wrong, but I was actually not able to enter the password due to that b

  • OSB - ALSB / WLST / Security / add entry with WLST in  Access Control

    Hello, I try to reproduce with WLST script the input from the consol to declare user on Access Control proxy (security). sbconsol->$Proxy Service->Security->General Confiruration->Access Control->Transport Access Control->Add Conditions * First imple

  • Nikon D4 NEFs not opening

    Hi, I have both Photoshop CS5.1 and Photoshop 6 and have upgraded to latest versions of Adobe Camera Raw and DNG converter. However, my NEF files still will not convert/open. The product descriptions for ACR and DNG converter says it should support t

  • Cannot eject OS X 10.4.3 Mac Install DVD

    I ran Pacifist to reinstall an application and now can't eject the Mac 10.4.3 Install DVD. It's not just this disk, I had a problem yesterday with the disk that came with Airport Extreme. These are both legal disks.........Apple disks. I'm running 10