Security descriptors

All securable objects, such as files and folders, Active Directory objects, services, or registry objects, on a local computer or network have security descriptors that help control access to those objects. Security descriptors contain information about who owns an object, who can access it and in what way, and what types of access are audited.

There are pre-existing security descriptors built into Arellia Management Server (AMS) that secure all the items in your system when you install AMS. If the existing security descriptor for the Item you want to secure is insufficient, then you can adjust it by adding roles and changing the rights assigned to the trustees. 

View an existing security descriptor

To view the security descriptor for a folder or file, do the following steps:

  1. In the Security Manager Console, go to the Item you want to change the user rights for.  
  2. In the left-side folder library, choose the folder you want and right-click it.
  3. Click Properties.
     
  4. In the Properties dialog box that appears, click the Security tab.

Performing these steps will allow you to view the security descriptor for a folder or file. To assign a security descriptor to an item, perform the steps in the following section.

Modify security descriptors

If you want to grant or revoke access to items, then most often you will simply assign a different security descriptor to those items or folders. For details about assigning a different security descriptor to an item, go to Modify Access to Items.

If you want more granular access to items, then you can create a custom security descriptor. 

Create a custom security descriptor

The best practice for creating a custom security descriptor is to first create a clone of an existing security descriptor that already contains attributes you want, such as Admins, Users, and Helpdesk, and all of the assigned rights for those roles. After you create the clone, simply add a new role and assign rights to it.

 

Important

You must have Full Access rights to modify or clone a security descriptor; AMS Administrators members have Full Access rights. If you are not a member of the AMS Administrators role, then contact a member of that group to apply these changes.

 

To create a clone of a security descriptor, do the following steps:

  1. In the Security Manager Console, go to the Resources tab.  
  2. In the left-side folder library, click Security Descriptor User Defined.
  3. In the pane on the right, choose the security descriptor you want to clone and right-click it.
  4. Click Clone.
     
  5. In the Clone Item dialog box that appears, enter the name of the cloned item and click OK.



  6. In the Security Descriptor under Group or user names click the Add button.
  7. In the Select Resource dialog box, double-click the role you want to add to the security descriptor.
  8. Click the permissions you want for the new role you added.



  9. Click Save.

Application Roles 

Security overview