Customize User and Group Access

You can use the Attachmate Customization Tool (ACT) to lock down access when you create your companion installer package. The resulting .access files are automatically saved to the correct directory and included in the companion installer package. If you need to make changes, you can modify these .access files by opening the existing Companion installer in ACT or by using Permissions Manager.

You can also lock down features using Microsoft Group Policy. For more information, see Lock Down Features and Controls.

To set user and group access in ACT

  1. From your administrative installation point, open the Attachmate Customization Tool from a shortcut or by typing the following command line:

    <path_to_setup>\setup.exe /admin

  2. In the Select Customization dialog box, select Create a new Companion installer.

    ACT_Create companion installer

  3. On the left pane, select Specify install locations.

    Specify Installation Default Folder

  4. Under Installation type, select Installs only for the user who installs it.
  5. In the left pane, select Modify user settings.

    Change the user settings on the target computer.

    Under Application - Settings, the Permissions Manager displays groups of configurable items. These configurable items are listed by their internal names, which may not exactly match the user interface item. The item's Accessibility indicates whether the user can configure the item (Full) or if administrator assistance is required to configure the item (Restricted).

  6. In the Make changes to user settings pane, select one of the .access options and click Define.
  7. In Permissions Manager, under Groups, select the group of settings you want to control access to (for example, Document\Connection\TN3270Basic).


  8. In the Items box, in the Accessibility column for the item (or items) you want to restrict, click Full and then select Restricted from the drop down menu.

    In the following example, the Accessibility level for DeviceName, Host, and Port is Restricted. The resulting rd3x.access file limits access to these three settings.


  9. Under Additional security options, select how to control session file encryption:

    To do this


    Configure all sessions so that users can open only encrypted display session files.

    User can open only encrypted session files

    Configure all sessions so that users can save a display session only if it is encrypted.

    User can save only encrypted session files

  10. From the File menu, choose Save As and save the companion installer package.

    The companion installer package automatically specifies to deploy this .access file to [AppDataFolder]\Attachmate\Reflection\Workspace\data_folder.

    Note: The name of the data_folder is R2014_versionName. (For example, the data_folder name in Reflection 2014 R1 is R2014_R1.)

    By default, [AppDataFolder] is defined as:

    (Windows 8, 7 and Vista) Users\<yourUserName>\AppData\Roaming\

    (Windows XP) Documents and Settings\<yourUserName>\Application Data\


  • Make sure to set file access rights on .access files to prevent users from deleting, replacing, or editing them.
  • To deploy files to this folder, you will need to use a deployment tool that allows you to install the companion installer package as the user.
  • When accessing a setting via an API, such as executing a macro, a setting with restricted access cannot be modified. (When attempting to set a restricted setting via an API, an error is logged.)