Novell Doc: ZENworks 10 Configuration Management Policy Management Reference

2.3 Local File Rights Policy

The Local File Rights policy allows you to configure rights for files or folders that exist on the NTFS file systems.

In ZENworks Control Center, click the Policies tab.
In the Policies list, click New, then click Policy to display the Select Policy Type page.
Select Local File Rights Policy, click Next to display the Define Details page, then fill in the fields:

Policy Name: Provide a name for the policy. The policy name must be different than the name of any other item (group, folder, and so forth) that resides in the same folder. The name you provide displays in ZENworks Control Center.

Folder: Type the name or browse to and select the ZENworks Control Center folder where you want the policy to reside. The default is /policies, but you can create additional folders to organize your policies.

Description: Provide a short description of the policy’s content. This description displays in ZENworks Control Center.

Click Next to display the Configure Basic Properties page, then use the options on the page to configure the attributes.

The following table contains information about configuring a file or folder and the attributes associated with it:

Field	Details
File / Folder Path	Allows you to specify the complete path of a file or folder on the managed device. You can use the ZENworks system variables or environment variables to specify the path. To configure system variables in ZENworks Control Center, click the Configuration tab > the Content setting in the Management Zone Settings panel > System Variables. Click the Help button for details about configuring system variables.
Attributes	Allows you to specify the attributes of a file or folder, such as Read only and Hidden.

Field

Details

File / Folder Path

Allows you to specify the complete path of a file or folder on the managed device. You can use the ZENworks system variables or environment variables to specify the path.

To configure system variables in ZENworks Control Center, click the Configuration tab > the Content setting in the Management Zone Settings panel > System Variables. Click the Help button for details about configuring system variables.

Attributes

Allows you to specify the attributes of a file or folder, such as Read only and Hidden.

This page allows you to configure permissions for only one file or folder. If you want to assign permissions to multiple files or folders, then configure them in the Details page after creating the policy.

Click Next to display the Configure Permissions page, then use the options on the page to configure permissions for selected users or groups.

The following table contains information about configuring permissions:

Field	Details
Permission for Users or Groups	Allows you to configure permissions for users or groups. Click Add, then Click User or Group to select a user or a group from the appropriate drop-down list. Select the type of permission you want to configure as Simple NTFS Permissions or All NTFS Permissions. Depending on the type of permission you select, a list of permissions are displayed. Configure the permissions as applicable to the selected user or group. By default, when a permission is set on a folder, all the subfolders and the files also inherit the permissions. If you want to restrict the inheritance of the rights to only the immediate child file or folder, select Restrict inheritance to immediate child files/folders only. Click OK. The permissions configured for the user or group in the Dynamic Local User policy takes precedence over the permissions configured in the Local File Rights policy.
Create Groups on the Managed Device if they Do not Exist	Creates a group for which permissions are configured; however the group does not exist on the managed device. With this option, you can create only local groups.
Remove Access Control Rules not Configured by ZENworks	Removes all access control entries for users or groups not configured by the ZENworks Local File Rights policy. Also, updates the existing access control entries for users and groups configured in the policy. After the policy is applied, any manual changes made to the permissions for a user or group configured by the policy are lost when the policy is re-applied.
Inherit Applicable Access Rights Configured on Parent Folders	Select Yes if you want a file or folder to inherit applicable access control rules from its parent object. If you select No, inherited rules are removed. If you do not want to make any changes, select not configured on the managed device.At least one attribute, permission, or inheritance setting must be configured to create a policy. Without configuring any settings, you cannot create a policy.

NOTE:If the Full Control access right is denied for the Administrators or Authenticated Users group, the policy is successful only during the first enforcement. However, if the Full Control access right is denied for the Administrators or Authenticated Users group and the Remove access control rules not configured by ZENworks option is selected, the policy fails.

The unenforcement of the Local File Rights policy from a device fails if the Full Control access right is denied for the Administrators or Authenticated Users group in the policy.

Click Next to display the Summary page.
Click Finish to create the policy now, or select Define Additional Properties to specify additional information, such as policy assignment, system requirements, enforcement, status, and which group the policy is a member of.