Limit user access to files on a target file server

Set up the security permissions on a target file server to make sure that users have access only to the files that they back up.

By default, the first client that connects to a specific server share creates the RealTimeBackup directory. Permissions that are assigned to the RealTimeBackup directory do not prevent users from reading files that they do not own.

The settings that are used in this example assume one primary user of Tivoli® Storage Manager FastBack for Workstations on the client. This primary user is the first user that connects to the server and creates the subdirectory for files that are backed up from the client. If Tivoli Storage Manager FastBack for Workstations operates from other accounts on that client, failures might occur when copying files to the remote server. Error messages such as Failed to open the destination file are logged to the activity report.

Windows file server

This example assumes that the following conditions exist:
  • Start of changeThe Windows server shares a directory named c:\fileservertest.End of change
  • The accounts that are used to access the server are members of the Users group.

Access Control List (ACL) settings for the RealTimeBackup directory

ACL settings enable client accounts to create directories that are only accessible by the account that created them. As a result, the directory that contains data for a node is not created until that node connects to the server.

Using Windows Explorer, set the ACL for the c:\fileservertest\RealTimeBackup directory according to these settings:
Table 1. ACL settings for the RealTimeBackup directory
Type Name Permission Applies to
Allow Administrators Full Control This folder, subfolders, and files
Allow CREATOR OWNER Full Control This folder, subfolders, and files
Allow Users Special This folder only
Allow OWNER RIGHTS* Full Control This folder, subfolders, and files
*The OWNER RIGHTS object must be added for Windows 2008 Servers.
The ability for objects to inherit permissions from the parent is not set. As a result, set the Special access for the Users group to provide only these settings:
Traverse Folder / Execute Allow
List Folder / Read Data Allow
Read Attributes Allow
Read Extended Attributes Allow
Create Files / Write Data Allow
Create Folders / Append Data Allow
Delete subfolders and files Allow
Read Permission's Allow

ACL settings for the RealTimeBackup\BackupAdmin directory

The RealTimeBackup\BackupAdmin directory is used by the Tivoli Storage Manager FastBack for Workstations client to download revisions and configurations. Nodes require read-only access to these directories:

c:\fileservertest\RealTimeBackup\BackupAdmin
Table 2. ACL settings for the RealTimeBackup\BackupAdmin directory
Type Name Permission Applies to
Allow Users Read, Execute This folder, subfolders, and files
Allow Administrators Full Control This folder, subfolders, and files
The ability for objects to inherit permissions from the parent is not set. As a result, set the Special access for the Users group to provide only these settings:
Traverse Folder / Execute Allow
List Folder / Read Data Allow
Read Attributes Allow
Read Extended Attributes Allow
Delete subfolders and files Allow
Delete Allow
Read Permission's Allow

UNIX file server that is running Samba

This example, assumes that the Samba server is set up to share a directory named /fileservertest.

These settings enable users to create directories under the RealTimeBackup directory:
chmod o+wrxt /fileservertest/RealTimeBackup
chmod o+rx /fileservertest/RealTimeBackup/BackupAdmin
chown root /fileservertest/RealTimeBackup/BackupAdmin
In the Samba configuration file (smb.conf), set the create mask and directory mask parameters to each specify 0700. For example:
[fileservertest]
path = /fileservertest
writable = yes
create mask = 0700
directory mask = 0700
Parent topic: Troubleshooting the Tivoli Storage Manager FastBack for Workstations client
Parent topic: Troubleshooting the Tivoli Storage Manager FastBack for Workstations central administration console