Professional Documents
Culture Documents
Introduction
This technical note describes the process of configuring a security system using the
Malvern Access Configurator (MAC) software package. Examples are provided as to how
to control access to the Mastersizer 3000 and MAC software packages. However, the
process of enabling access control will be similar for other Malvern applications which use
the MAC application for security control. The only changes that will be observed between
different applications are the specific permissions which can be set for different user
roles.
1
Sales and services centres in over 65 countries
www.malvern.com/contact ©2016 Malvern Instruments Limited MRK1828-04
shows all the user roles which have been set up for the controlled applications. Both sections are blank in figure 1, as no
applications have been selected.
Selecting an application
The first task in using the MAC is to import the permissions file for the Malvern application you wish to control. This file lists all of
the securable actions, such as record creation or editing, which can be carried out with an application. In general, the permissions
file will be stored in the Program Files directory tree on the computer running the application. For the two applications we are
focusing on here, the permissions files can be found in the following directories.
• Mastersizer 3000: \Program Files\Malvern Instruments\Mastersizer 3000\Permissions.xml or \Program Files (x86)\Malvern
Instruments\Mastersizer 3000
• MAC: \Program Files\Malvern Instruments\Malvern Access Configurator\ Permissions.xml or \Program Files (x86)\Malvern
Instruments\Malvern Access Configurator
To import these permissions, right-click on the applications window (section 1 in figure 1 above) and select the Import
permissions file option, or use the File-Import permissions file menu option. Once these files have been successfully imported,
you will see each of the applications listed within the MAC software window (figure 2).
LDAP paths can be set to target specific areas of a network to speed up scanning and can be useful if you have a large network.
If LDAP is not supported by your network then a Windows Management Instrumentation (WMI) query can be used to search your
network as WMI is preinstalled by in Windows 2000 and newer operating systems. By not specifying the domain or server, the
query will search from the root and scan the entire network for users and groups.
Due to a limitation in the software, if you need to change a query types between LDAP or WMI; it would be best to create a new
query and delete the old one rather than editing an existing query.
To add new users and groups to the role, click the Add button. This will display a searchable list of all the users and groups found
during the network scan described above. Once the user (or group) has been added to the role, you can then configure a time
period during which the user will remain active within that role. By default, the Valid from and Valid to dates are set as blanks,
meaning that a user will immediately become active with the role, and will remain active indefinitely.
Figure 8: Sharing the permissions associated with one role within another role. In this example, the QC User role permissions will be
inherited by the Lab manager role.
As well as being able to apply the permissions from another role to the role you are configuring, you can also decide to share the
permissions of the current role with another role within the MAC system. So, let us assume there is a Facility Manager role, which
needs to have all of the capabilities of the Lab Manager role. To set this up, access the Has These Member Roles tab within
figure 7, and Add the Facility Manager role to the list (figure 9). This will ensure that all users assigned to the Facility Manager role
will be able to access all of the functions associated with the Lab Manager role.
Figure 9: Sharing the permissions associated with one role within another role. In this example, the Facility Manager role will inherit
all of the capabilities of the Lab Manager role.
To add specific permissions for the target application to the active role, click on the Add button with the Permissions From: tab
selected. A Select Permissions From: dialogue will then open, within which you will see a list of permissions you can set for the
target application. As an example, the list of configurable permissions for the Mastersizer 3000 application is shown in figure 11.
Use Ctrl-Click to select all of the permissions within the list that you want to assign to the current role. Clicking OK will add the
select permissions to the role. Follow the same procedure to select permissions for all the other roles you have configured.
It is suggested that the access control settings file is stored to the following directories, in order to ensure that the settings can be
found in the future:
• Mastersizer 3000 (v3.50 or earlier): \ProgramData\Malvern Instruments\Mastersizer 3000\MS3000 Security.xml
• Mastersizer 3000 (v3.60 or later): \ProgramData\Malvern Instruments\Mastersizer 3000\Configuration Files\MS3000
Security.xml
• MAC: \ProgramData\Malvern Instruments\Malvern Access Configurator\MAC Security.xml
However, if you wish to apply the same access control settings to multiple instances of the target application, you may wish to save
the access control settings file to a network location instead.
Note: Once the permissions file has been created, it is important that deletion of the file is prevented using the Windows operating
system file access controls. Read, write and modify access must, whoever, be maintained. The file is protected against unauthorized
changes using applications other than the MAC. Unauthorized changes will therefore be detected by the host application.
Finally, within the host application, you must now enable security and import the access control settings from the file(s) you have
just saved. For the Mastersizer 3000, this is done from the Options dialogue. Select the Access Control settings and select Enable
Access Control (figure 14). This can only be carried out if you are an administrator on the computer hosting the Mastersizer 3000
software. To ensure you are an administrator, you will be required to re-authenticate. Enter your password and click the blue arrow
icon. If authentication is successful, the Browse… button will become active. Click this and select the access control settings file
you wish to use. Clicking OK will cause the access permissions stored in the file to be applied. This is confirmed within the status
bar of the application.
Audit trails .xml C:\ProgramData\Malvern Instruments\Malvern Prevent deletion of the files in this
Access Configurator\Audit Trails directory. However, read, write
and modify access must be
maintained.
View audit trail files Open any audit trail file for viewing
Within the Security tab, click on the Advanced button. This will cause the Advanced Security Settings to be displayed. Within this
dialogue click on the ‘Change Permissions…’ button. This will bring up the permissions tab:
Clear the checkbox ‘Include inheritable permissions from this object’s parent’, shown in the dialogue above. If a warning is
displayed Add the parent settings before changing the security settings. This will prevent modifications to parent directories
overriding the changes which are being implemented:
Ensure that the Apply To setting is changed to This folder, subfolders and files. Clear the ‘Apply these permissions to
objects…’ checkbox as shown above. Then, click OK to apply the security settings.
Follow the procedure for the audit trail directory, security permissions file and general configuration files directory. The location of
these directories are provided in the Malvern Access Configurator (MAC) File Types and Locations section above. This section
details individual file types which must be controlled and the level of control required.
Disable the inheritance by selecting the Disable inheritance shown in the figure above. If a warning is displayed Convert the
inherited permissions into explicit permissions:
Select the Users group specifically for Read & execute that applies to This folder, subfolders and files and select to Edit the
permissions. This will cause the Permission Entry dialogue to appear:
In the Permission entry dialogue, toggle the view to show Advanced permissions. Then, allow access to all permissions with the
exception of:
• Full Control
• Delete subfolders and Files
• Delete
• Change Permissions
• Take Ownership