Show Contents / Index / Search

Restrict Access with Permissions Manager

As an administrator, you may want to reduce complexity by limiting users' ability to modify their workspace or session documents. In Reflection, you can disable settings by configuring access files and storing them in your users' AppData directory. There are different access files for mainframe, AS/400, UNIX/OpenVMS, and application-wide settings. Plus, there is a separate access file for actions, such as creating new session documents or showing the UI Designer.

The Reflection Permissions Manager is used to create .access files that can be deployed to user machines to restrict configuration settings and features.

The following access file templates are distributed with Reflection 2011:

This File

Controls access to…

actions.access

Reflection 2011 actions (for example, Auto Complete)

application.access

Reflection 2011 workspace settings

rd3x.access

Reflection 2011 3270 terminal settings

rd5x.access

Reflection 2011 5250 terminal settings

rdox.access

Reflection 2011 VT terminal settings

Important: Be sure to set file access rights on .access files that you deploy to prevent users from deleting, replacing, or editing them.

To set access with Permissions Manager

  1. On a workstation on which you have installed Reflection, in the Reflection 2011 install folder, run AccessConfig.exe. (Administrator rights are required.)
  2. When prompted to create a new permission file, or edit an existing one, choose Create new permission file. (The first time you run the tool, you will need to create a file.)
  3. When prompted with a list of access file templates, choose the type of permission file to create.
  4. Under Groups, select the type of setting to control access to (for example, the Document\Connection\TN3270Basic group).

    Note: Settings in Reflection 2011 are in "groups" and each group has a path name.

  5. In the Items box, in the Accessibility field for the item (or items) you want to restrict, click Full and then select Restricted from the drop down menu.
  6. If you are configuring rd3x.access, rd5x.access, or rdox.access files, under Additional security options, select how to control session file encryption:

    To do this

    Select

    Configure all sessions so that users can open only encrypted display session files.

    User can open only encrypted session files

    Configure all sessions so that users can save a display session only if it is encrypted.

    User can save only encrypted session files

  7. Set up a companion installation file that includes the .access file you created and then deploy this file to users. For Reflection to use the .access file you create, you must deploy it to the following folder:

    [AppDataFolder]\Attachmate\Reflection\Workspace\data_folder

    Note: The name of the last folder (data_folder) in this directory is specific to the version of Reflection. For Reflection 2011 R1, this folder is R2011. For subsequent versions, it is R2011_versionName. (For example, the folder name in Reflection 2011 R2 is R2011_R2.)

Important:

For Reflection 2011 to use the .access files you create, you must deploy them to the following folders:

(Vista and Windows 7) Users\yourUserName\AppData\Roaming\Attachmate\Reflection\
Workspace\data_folder

(XP)
Documents and Settings\yourUserName\ApplicationData\Attachmate\
Reflection\Workspace\data_folder

Note: The name of the last folder (data_folder) in this directory is specific to the version of Reflection. For Reflection 2011 R1, this folder is R2011. For subsequent versions, it is R2011_versionName. (For example, the folder name in Reflection 2011 R2 is R2011_R2.)

  • To deploy files to this folder, you will need to use a deployment tool that allows you to install the companion installer package as the user.
  • Setting these session encryption options in an .access file affects only the associated session type. For example, limiting users to opening only encrypted session files in rd3x.access only affects 3270 terminal session files, and not 5250 session files.
  • Be sure to set file access rights on these files to prevent users from deleting, replacing, or editing them.
  • When accessing a setting via an API, such as executing a macro, a setting with restricted access cannot be modified. (When attempting to set a restricted setting via an API, an error is logged.)