Windows NT Security on the Deployment Server

Hi JDEList
We are evaluating the Windows NT security on the deployment server. Right now our B7333 folder on the deployment server is shared and domain admins have full control on this folder and productions users have only read only access. My question is whether this folder need to be shared or not. If yes then what should be the shared permission level.
Also I was going through the chapter 11 of the installation guide ( Setting up windows Nt security for oneworld directories). This chapter tell about giving the change permission on jdeclnt.ddc, jdeclnt.xdc files inside the client folder(within B7333) and some change permission in the pathcode directory to the users. Can anyone help me understand why this is needed? With our current settings are we ok or we need to change it?

Thanks

Vivek :

Your users need to access that share for accessing packages, pathcodes
and licenses from client workstations.
Regular users just need write access to \b7333\client and read access
to the remaining folders.
Developer users need the same permissions plus write rights on pathcodes.
Finally, administrators should be have full rights.
You can apply Change rights to the share, and specifical NTFS to the
different user groups on every NTFS folder below \b7333.

Sebastian Sajaroff (JDELIST)

Vivek, we have B7333 shared and Domain and JDE Admins have full permissions while Everyone has Read permissions. The only gotcha I've seen from this is that you have to be an Admin to do a client install of JDE since Everyone can't write to the JDE License files. Since we only have 4 fat clients for development, it hasn't really been a problem for us.

Hi Charles
We have almost the same configuration. But we have give some production users rights to create the batch versions and I think that these users will not be able to check in the batch versions if they do not change/full access to the Development Path code directory. Is that Right?

Vivek, I hope someone will correct me if I'm worng, but it's my understanding that checking any object in places it on the Enterprise Server, not the Deployment Server, thus the NT permissions on the Deployment Server would not be a consideration. As I understand it, the objects are JITIed from the Enterprise Server to the Deployment Server only during a package build. Would one of you more experienced CNC guys either verify or refute my understanding please?

Piano :

BSFN and TBLE checkin processes move .C and .H files to
entries to the Central Objects tables.

Sebastian Sajaroff (JDELIST)

Pianosynth,

Checking in objects update the central objects repository from local
client TAM specs. Central objects have 2 components: C source code AND
an RDB component. Normally, the RDB component is stored on the
enterprise server. The C source code is ALWAYS stored on the deployment
server.

So:
If checking in BSFN's --> Deployment server is updated under path code
If checking in other objects --> RDB is updated (F987* tables).

NT permissions on the DS are therefore a consideration.

Trust this helps,
OW_developer
Xe, SP18.1, W2K, SQL2000.

Thanks for the reply, Sebastian. I found it worthwhile to publish for the entire forum. Since our developers are also administrators, this bit of information was never important to us, but it is a good distinction to keep in mind. Is there any thing to keep in mind with BSVWs or DSTRs?

Sebastian replied to me:

BSFN and TBLE checkin processes move .C and .H files to
\b7333\<pathcode>\source and \include folders and they also add
entries to the Central Objects tables.

Sebastian Sajaroff (JDELIST)

Thanks everybody.. now I am understand the NT security on the deployment server much better..
One Last Question
What about the Media folder inside the B7333 folder on deployment server. I think that production users should have only read access. Please confirm.
Thanks

This is a full list of proper Deployment Server file permissions.

Don't forget to remove Everyone Full Control and let the change be inherited down before applying these changes.


Let's see if this pastes ok:



1.1.1. \JDEdwardsOneWorld\B7333\Client
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Read Only
¨ JDE Developers .....Read Only

1.1.2. \JDEdwardsOneWorld\B7333\Client\jdeclnt.ddc,
\JDEdwardsOneWorld\B7333Client\jdeclnt.xdc

¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Change
¨ JDE Power Users .....Change
¨ JDE Developers .....Change

1.1.3. \JDEdwardsOneWorld\B7333\DV7333, \JD7333, \PD7333, \PY7333
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Change
¨ JDE Developers .....Change

1.1.4. All subdirectories of \DV7333, \JD7333, \PD7333, \PY7333, except \package
¨ JDE Users .....Change

1.1.5. \JDEdwardsOneWorld\B7333\Database
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....No Access
¨ JDE Power Users .....No Access
¨ JDE Developers .....No Access

1.1.6. \JDEdwardsOneWorld\B7333\Helps
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Read Only
¨ JDE Developers .....Read Only

1.1.7. \JDEdwardsOneWorld\B7333\Hosts
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....No Access
¨ JDE Power Users .....No Access
¨ JDE Developers .....No Access


1.1.8. \JDEdwardsOneWorld\B7333\Mediaobj
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only ?
¨ JDE Power Users .....Read Only ?
¨ JDE Developers .....Read Only ?

1.1.9. \JDEdwardsOneWorld\B7333\Planner
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....No Access
¨ JDE Power Users .....No Access
¨ JDE Developers .....No Access

1.1.10. \JDEdwardsOneWorld\B7333\Printqueue
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....No Access
¨ JDE Power Users .....No Access
¨ JDE Developers .....No Access

1.1.11. \JDEdwardsOneWorld\B7333\System
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Read Only
¨ JDE Developers .....Read Only

1.1.12. \JDEdwardsOneWorld\B7333\ESU
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....No Access
¨ JDE Power Users .....No Access
¨ JDE Developers .....No Access

1.1.13. \JDEdwardsOneWorld\B7333\HelpsComp
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Read Only
¨ JDE Developers .....Read Only

1.1.14. \JDEdwardsOneWorld\B7333\CognosOneWorld
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Read Only
¨ JDE Developers .....Read Only

1.1.15. \JDEdwardsOneWorld\B7333\CD_Templates
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Read Only
¨ JDE Developers .....Read Only


1.1.16. \JDEdwardsOneWorld\B7333\Feature_Inf
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....No Access
¨ JDE Power Users .....No Access
¨ JDE Developers .....No Access


1.1.19. \JDEdwardsOneWorld\B7333\OneWorld Client Install
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Read Only
¨ JDE Developers .....Read Only

1.1.20. \JDEdwardsOneWorld\B7333\Open Data Access
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....No Access
¨ JDE Power Users .....No Access
¨ JDE Developers .....No Access

1.1.21. \JDEdwardsOneWorld\B7333\Package_Inf
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Read Only
¨ JDE Developers .....Read Only

1.1.22. \JDEdwardsOneWorld\B7333\SystemComp
¨ DEPSERVERNAME\Administrators .....Full Control
¨ JDE Users .....Read Only
¨ JDE Power Users .....Read Only
¨ JDE Developers .....Read Only

Vivek,

by all means secure the Media Objects folders . . . if you don't want to give users the ability to attach OLE objects. This applies if the paths defined in P98MOQUE are still the defaults mapped to the Deployment Server.

What about security on JDEdwardsOneWorld\B7333\ActivEra
folder?