GUIDE TO SETTING UP ACCESS PERMISSIONS IN

THE MALVERN ACCESS CONFIGURATOR

APPLICATION

Introduction
This technical note describes the process of configuring a security system using the
Malvern Access Configurator (MAC) software package. Examples are provided as to how
to control access to the Mastersizer 3000 and MAC software packages. However, the
process of enabling access control will be similar for other Malvern applications which use
the MAC application for security control. The only changes that will be observed between
different applications are the specific permissions which can be set for different user
roles.

Installing the Malvern Access Configurator

The Malvern access configurator software is provided on the software install CD-ROM for
the system you are using. To install it, open the Malvern Access Configurator directory
on the CD-ROM and run the setup.exe program.
A full set of requirements for running the MAC software are provided in the Software
Update Notification for the application. This is provided on the software CD-ROM and is
also available directly from Malvern Instruments. Please read this prior to installing the
software.
Note that, in common with all Windows applications, you must be an administrator on
the host computer in order for the software to install successfully. In addition, the MAC
software uses the existing Microsoft Windows users and groups configured on the host
computer to control access to a Malvern application. As such, prior to installing the MAC,
it is important to ensure that the computer running the Malvern software is installed on
its host network. If the computer is a stand-alone system, the required users and groups
must be configured on the computer prior to the use of the MAC.
Given the above requirements, it is advised that the local IT department review the
requirements for use of the MAC application, and are present during the software
installation process. If the MAC is to be configured during a system Installation
Qualification by a Malvern representative, then ideally the computer should be
considered before the date of the visit, as any delays in the installation process may incur
additional service charges.

Configuring the MAC application

When the MAC application is first opened, you will be presented with the application
window shown in figure 1. Section 1 of the interface lists all of the applications for which
access control can be configured using this installation of the MAC application. Section 2

Malvern Instruments Worldwide

1
Sales and services centres in over 65 countries
www.malvern.com/contact ©2016 Malvern Instruments Limited MRK1828-04
shows all the user roles which have been set up for the controlled applications. Both sections are blank in figure 1, as no
applications have been selected.

Figure 1: MAC application window.

Selecting an application
The first task in using the MAC is to import the permissions file for the Malvern application you wish to control. This file lists all of
the securable actions, such as record creation or editing, which can be carried out with an application. In general, the permissions
file will be stored in the Program Files directory tree on the computer running the application. For the two applications we are
focusing on here, the permissions files can be found in the following directories.
• Mastersizer 3000: \Program Files\Malvern Instruments\Mastersizer 3000\Permissions.xml or \Program Files (x86)\Malvern
Instruments\Mastersizer 3000
• MAC: \Program Files\Malvern Instruments\Malvern Access Configurator\ Permissions.xml or \Program Files (x86)\Malvern
Instruments\Malvern Access Configurator
To import these permissions, right-click on the applications window (section 1 in figure 1 above) and select the Import
permissions file option, or use the File-Import permissions file menu option. Once these files have been successfully imported,
you will see each of the applications listed within the MAC software window (figure 2).

Technical note - MRK1828-04 2

 Figure 2: MAC application following successful import of the permissions for the Mastersizer 3000 and MAC applications.

Finding users and groups

The MAC application allows the access rights to be set for the Windows Users that are available to the system being configured,
either locally or via a network. The next task in configuring access rights is to create a cache detailing the available users and
groups. This can be done from the Local Options, accessed from the File-Local Options menu item (figure 3).
To initiate a scan, click on the Refresh Now option within the User and Groups Cache section of the Local Options dialogue.
This will cause the application to find all the Windows users and groups accessible from the computer on which the MAC
application is stored. Note that, depending on the size of your network, this action may take several minutes.
The default queries that are installed utilize LDAP to query the Active Directory server to scan for users and groups. If after
completing a scan no users or groups are found, this could indicate that LDAP is not supported or enabled on your network and
that a different method (WMI) will be required to scan for users. This can be done by creating your own query for finding users and
groups.

Technical note - MRK1828-04 3

 Figure 3: Local options for the MAC application.

Creating user and group queries

Custom queries can be created by clicking on Add to the right of the User and Groups Cache section of the Local Options
dialogue (figure 1).
Two types of queries can be created: LDAP (figure 4) or WMI (figure 5).

Figure 4: Creating a LDAP queries Figure 5: Creating a WMI query

LDAP paths can be set to target specific areas of a network to speed up scanning and can be useful if you have a large network.
If LDAP is not supported by your network then a Windows Management Instrumentation (WMI) query can be used to search your
network as WMI is preinstalled by in Windows 2000 and newer operating systems. By not specifying the domain or server, the
query will search from the root and scan the entire network for users and groups.
Due to a limitation in the software, if you need to change a query types between LDAP or WMI; it would be best to create a new
query and delete the old one rather than editing an existing query.

Technical note - MRK1828-04 4

Configuring User Roles
Once the users and groups accessible from the computer system have been cached, and the application permission files have been
loaded, the process of setting up roles within the MAC application can begin. Click the Create icon within the program’s ribbon
bar. This will cause the Role Detail dialogue to appear, where the name of a new role can be set, along with a role description
and the period of validity for the role (figure 6).
Once the role is created, it will appear in the Roles list within the main MAC software window (section 2 in figure 1).

Figure 6: Role creation dialogue.

Adding Users to a role

Once the role has been created, users from the local network can be added to the role. To do this, click on the role within the
application window and select the View/modify ribbon bar option.
This will cause the Role Detail dialog to appear (figure 7), with any users or groups associated with the role being listed on the
Users and Groups tab. In figure 7, two users have already been added to the selected role, along with one group.

Figure 7: Role Detail dialogue – users and groups tag

To add new users and groups to the role, click the Add button. This will display a searchable list of all the users and groups found
during the network scan described above. Once the user (or group) has been added to the role, you can then configure a time
period during which the user will remain active within that role. By default, the Valid from and Valid to dates are set as blanks,
meaning that a user will immediately become active with the role, and will remain active indefinitely.

Creating groups of roles

As well as being able to add users and groups to specific roles, it is possible to assign all of the capabilities of one role to another
role within the MAC application. As an example, let us assume that we have created a basic role for users who need to make

Technical note - MRK1828-04 5

measurements (QC User). We may want lab managers to be able to make measurements as well. In order to do this, click on the Is
a Member Of tab (see figure 7), and use the Add function to include the QC Users role as part of the Lab Manager role (figure 8).
Lab managers will then be able to do everything that QC users can do within the applications controlled by the MAC.

Figure 8: Sharing the permissions associated with one role within another role. In this example, the QC User role permissions will be
inherited by the Lab manager role.

As well as being able to apply the permissions from another role to the role you are configuring, you can also decide to share the
permissions of the current role with another role within the MAC system. So, let us assume there is a Facility Manager role, which
needs to have all of the capabilities of the Lab Manager role. To set this up, access the Has These Member Roles tab within
figure 7, and Add the Facility Manager role to the list (figure 9). This will ensure that all users assigned to the Facility Manager role
will be able to access all of the functions associated with the Lab Manager role.

Figure 9: Sharing the permissions associated with one role within another role. In this example, the Facility Manager role will inherit
all of the capabilities of the Lab Manager role.

Assigning Permissions to Roles

Once all of the roles you require are set up within the MAC application, the next step in configuring a working security system is to
assign specific software permissions to each role. To do this it is important that you first select a target application from the
Applications list (found in section 1 of figure 1). Then, select a role from the Roles list (found in section 2 of figure 1) and click on
the View/modify ribbon bar icon. This will bring up the Role Detail dialogue. Within this, select the Permissions From: tab for
the application you are configuring. So, in the case of figure 10, it is the Mastersizer 3000 v1.1 application which is being
configured for the QC User role.

Technical note - MRK1828-04 6

Note: make sure the correct application is listed in the title of the Permissions From: tab before continuing. If it is not displayed,
press Cancel and then select the correct application from the Applications list.

Figure 10: Role permissions view.

To add specific permissions for the target application to the active role, click on the Add button with the Permissions From: tab
selected. A Select Permissions From: dialogue will then open, within which you will see a list of permissions you can set for the
target application. As an example, the list of configurable permissions for the Mastersizer 3000 application is shown in figure 11.
Use Ctrl-Click to select all of the permissions within the list that you want to assign to the current role. Clicking OK will add the
select permissions to the role. Follow the same procedure to select permissions for all the other roles you have configured.

Figure 11: Permissions for the Mastersizer 3000 v3.50 application.

Technical note - MRK1828-04 7

Controlling access to multiple applications
Once the permissions have been set for one application within each role, access permissions can be configured for the same set of
roles for any other application controlled by the MAC. To do this, select a new application from the Applications list, select the
role of interest from the Roles list and click View/modify. As an example, access to the MAC application may be required for the
facility managers group mentioned above. To enable access, select the MAC application and the Facility Manager group and click
View/modify. The permissions can now be set for the MAC application, in the same way as for the Mastersizer 3000 application
(figure 12).
Note that in this case, the Permissions From: tab confirms that it is the Malvern Access Configurator Version 1.80 application
which is being configured rather than the Mastersizer 3000 application.

Figure 12: Assigning permissions for the MAC application to a role.

Creating an Administrator role when securing the MAC application

It is advisable to create an Administrator role to which you assign the current user, i.e. the user account you are logged-in as when
using the MAC. The role should be given full permissions to access all features of the MAC. This will ensure that you will not lock
yourself out of the system and will always have a way in to reconfigure access control for other users. You may also choose to
assign other users or groups to the Administrators role.

Exporting Security Permissions

When you have finished configuring all of the roles required for your organization, the final stage in setting up the security system
for a given application is to export the access control settings from the MAC application and import them into the host application.
To export the security settings, select the application of interest from the Applications list. Then, from the ribbon bar, select the
Export settings file option. This will cause an Export Access Control Settings dialogue to appear (figure 13). Use the … button
to select a file name and directory.

Technical note - MRK1828-04 8

 Figure 13: Exporting access control settings.

It is suggested that the access control settings file is stored to the following directories, in order to ensure that the settings can be
found in the future:
• Mastersizer 3000 (v3.50 or earlier): \ProgramData\Malvern Instruments\Mastersizer 3000\MS3000 Security.xml
• Mastersizer 3000 (v3.60 or later): \ProgramData\Malvern Instruments\Mastersizer 3000\Configuration Files\MS3000
Security.xml
• MAC: \ProgramData\Malvern Instruments\Malvern Access Configurator\MAC Security.xml
However, if you wish to apply the same access control settings to multiple instances of the target application, you may wish to save
the access control settings file to a network location instead.
Note: Once the permissions file has been created, it is important that deletion of the file is prevented using the Windows operating
system file access controls. Read, write and modify access must, whoever, be maintained. The file is protected against unauthorized
changes using applications other than the MAC. Unauthorized changes will therefore be detected by the host application.
Finally, within the host application, you must now enable security and import the access control settings from the file(s) you have
just saved. For the Mastersizer 3000, this is done from the Options dialogue. Select the Access Control settings and select Enable
Access Control (figure 14). This can only be carried out if you are an administrator on the computer hosting the Mastersizer 3000
software. To ensure you are an administrator, you will be required to re-authenticate. Enter your password and click the blue arrow
icon. If authentication is successful, the Browse… button will become active. Click this and select the access control settings file
you wish to use. Clicking OK will cause the access permissions stored in the file to be applied. This is confirmed within the status
bar of the application.

Figure 14: Enable Access Control

Technical note - MRK1828-04 9

A similar process needs to be followed to secure the MAC application. Select the File-Local Options menu item. This will cause
the Local Options window to appear (figure 1). From within this, click the Browse… button within the Access Control section of
the dialogue. Using this, find the access control settings file you saved.
Once this is loaded, security control of the MAC application will be enabled. This will be confirmed within the status bar of the
application.

Auditing Malvern Access Configurator Actions

The functions described above for the MAC application can be powerful in scope, in that access to other applications can be easily
enabled and disabled. For this reason, access to the MAC application should be controlled within your organization.
You may wish to limit the number of systems the MAC is installed on in order to prevent unauthorized access. You can also use
security system within the MAC application to control access. Access rights for different roles can be configured for the MAC
application using the process described in this document. Security is then enabled by opening the Local Options dialogue using
the File-Local Options menu item. Within the Local Options, locate the Access Control section and click Enable. You can then
select the permissions file you have created for the MAC application. A list of the permissions which can be assigned to roles for
the MAC application is provided in the appendix to this document.
You may also wish for all MAC activity to be audited. To do this, open the Local Options dialogue again. Within this, there is an
Audit trail section. To enable the audit system, click the Enable button and then click OK. The fact that the auditing is active will
be reported within the status bar of the application. In addition, the audit trail will be able to be viewed using the View… icon
within the Audit Trail section of the ribbon bar.
The appendix to this document lists the files used by the MAC and provides advice regarding how these can be secured in order to
prevent unauthorized changes to the MAC security and audit functions.

Technical note - MRK1828-04 10

Appendix
Malvern Access Configurator (MAC) File Types and Locations
The MAC software uses a series of different file types in order to store data and settings. These are described below, in order to
help users who wish to secure the MAC software using the Microsoft Windows security and access settings. Guidance regarding
how to set up the security settings is provided in the Windows Security Settings section of this appendix.

File Type Extension Default Path Advised security setting for

21CFR Part 11 Mode

Audit trails .xml C:\ProgramData\Malvern Instruments\Malvern Prevent deletion of the files in this
Access Configurator\Audit Trails directory. However, read, write
and modify access must be
maintained.

Exported from the Malvern Access Configurator

Security configuration file
(MAC) application. The directory is user-
specified. Malvern advise that the file should be
.xml
stored in the C:\ProgramData\Malvern
Instruments\Malvern Access Configurator
directory.
Prevent deletion this file once it is
created. However, read, write and
modify access must be
maintained.

Full access must be maintained to

C:\ProgramData\Malvern Instruments\Malvern
Various system wide configuration files Various this directory for the program to
Access Configurator
function correctly.

Malvern Access Configurator (MAC) Permissions

The security permissions that can be set for different Groups within the MAC software are detailed below.

Permission Section Permission Description Typical access required

Import the permissions file for an

Import permissions file
application

Delete the permissions file for an

Delete permissions file
application Usually enabled for administrators
Files
only
Export application access control Export an access control settings file for
settings any application (e.g. permisions.xml)

View audit trail files Open any audit trail file for viewing

View Roles View the details of a role

Create Roles Create new roles

Usually enabled for administrators
Roles
only
Delete roles Delete an existing role

Modify roles Modify the details of an existing role

Technical note - MRK1828-04 11

Windows Security Settings
For this section of the appendix, it is assumed that you have the required administrator rights for the system upon which the
Malvern software is being installed; allowing you to install or update software and configure windows security permissions.

Changing the directory security permissions in Windows 7

Navigate to one of the directory folders that need to be secured, as listed in the Malvern Access Configurator (MAC) File Types
and Locations section above. Right-click on the folder and through the context menu open the folder properties. Within this,
switch to the security tab:

Within the Security tab, click on the Advanced button. This will cause the Advanced Security Settings to be displayed. Within this
dialogue click on the ‘Change Permissions…’ button. This will bring up the permissions tab:

Clear the checkbox ‘Include inheritable permissions from this object’s parent’, shown in the dialogue above. If a warning is
displayed Add the parent settings before changing the security settings. This will prevent modifications to parent directories
overriding the changes which are being implemented:

Technical note - MRK1828-04 12

Next, Check the ‘Replace all child object permissions…’, as shown above. This will apply the changes we make to permissions for
all files in this directory. Select the Users group and Edit the group’s permissions. This causes the Permission Entry dialogue to
appear:

Allow access to all permissions with the exception of:

• Full Control
• Delete subfolders and Files
• Delete
• Change Permissions
• Take Ownership

Ensure that the Apply To setting is changed to This folder, subfolders and files. Clear the ‘Apply these permissions to
objects…’ checkbox as shown above. Then, click OK to apply the security settings.
Follow the procedure for the audit trail directory, security permissions file and general configuration files directory. The location of
these directories are provided in the Malvern Access Configurator (MAC) File Types and Locations section above. This section
details individual file types which must be controlled and the level of control required.

Configuring Windows 8/10 security permissions

Navigate to one of the directory folders that need to be secured, as listed in the Malvern Access Configurator (MAC) File Types
and Locations section above. Right-click on the folder and through the context menu open the folder properties. Within this,
switch to the security tab:

Technical note - MRK1828-04 13

Within the Security tab, click on the Advanced button. This will cause the Advanced Security Settings to be displayed. Within this
dialogue click on the ‘Change Permissions…’ button. This will bring up the permissions tab:

Disable the inheritance by selecting the Disable inheritance shown in the figure above. If a warning is displayed Convert the
inherited permissions into explicit permissions:

Technical note - MRK1828-04 14

This will prevent modifications to parent directories overriding the changes we are implementing. Next, Check the ‘Replace all child
object permissions…’ option shown above. This will apply the changes we make to permissions for all files in this directory.

Select the Users group specifically for Read & execute that applies to This folder, subfolders and files and select to Edit the
permissions. This will cause the Permission Entry dialogue to appear:

In the Permission entry dialogue, toggle the view to show Advanced permissions. Then, allow access to all permissions with the
exception of:
• Full Control
• Delete subfolders and Files
• Delete
• Change Permissions
• Take Ownership

Technical note - MRK1828-04 15

Ensure that the Applies To setting is still This folder, subfolders and files. Clear the ‘Apply these permissions to objects…’
checkbox as shown above. Apply the setting and select OK to close the dialogue. This will configure the security settings.
Follow the procedure for the audit trail directory, security permissions file and general configuration files directory. The location of
these directories are provided in the Malvern Access Configurator (MAC) File Types and Locations section above. This section
details individual file types which must be controlled and the level of control required.

Malvern Instruments Ltd

Enigma Business Park • Grovewood Road
Malvern • Worcestershire • UK • WR14 1XZ
Tel: +44 (0)1684 892456
Fax: +44 (0)1684 892789
Malvern Instruments Worldwide
Sales and service centers in over 50 countries
for details visit www.malvern.com/contact
© Malvern Instruments Ltd 2016

more information at www.malvern.com

Technical note - MRK1828-04 16