Application Data
Application Data
Microsoft standard users must have the appropriate permissions on the Application Data directory. This folder contains files critical to the proper functioning of the server, such as project files. Permissions on this folder dictate which users are able to configure the product. By default, the server stores application data in C:\ProgramData\<server>. This setting is configured during installation and can only be changed by reinstalling the product. Permissions only need to be configured during a new installation as upgrades inherit the previously configured Windows security settings. The dialog below shows where a new installation provides the opportunity to configure the location of the application data folder.
Microsoft standard users must be granted both read and write permissions to the folder and its contents. Execute permission is not required to run the server. The application does not provide tools to add permissions to this folder; they must be granted using Windows Explorer. Users who don’t have permissions receive the following error when attempting to start the application: “This account does not have permission to run this application. Contact the system administrator”.
The server does not modify the permissions of the configured folder; it inherits the default permissions configured at its location. The default (ProgramData) location inherits read-only permissions for the Users default Windows group. Read permissions alone are not sufficient to configure the product; however, they do potentially allow users who shouldn’t have access the ability to read contents of the folder. By default, Windows administrators have the correct permissions.
To implement least privilege, follow these best practices:
• Only grant permissions to users or groups that require access to the application; do not grant permissions to all users. It is common for members of the Users default windows group to contain more users than should have access to the application.
• Remove the default permissions granted to users who shouldn’t have access. For example, if the default directory is used, remove the inherited read-only permission granted to members of the “Users” default windows group. This should be done unless ALL users on the machine should be able to work with the product.
• Don’t manage permissions with individual users or the “Users” default windows group. Instead, create a custom user group and configure its permissions. Add users who should be granted permissions to that group.
The user_data and .config volume mounted directories are created in the </opt/kepedge/v1> path. The user_data directory is the relative path where all project files are saved to and loaded from using the Configuration API, as well as where files to support automatic tag generation (ATG) should be placed.
Note: All files in the user_data directory must be world readable or owned by the Linux user and group that were created during installation, which is kepedge by default.Any authorized Linux user should be added to the user group that was created during installation to have the proper permissions to interact locally with this folder. All actions the runtime uses to interact with this folder use the Linux user configured during installation, which is kepedge by default.
Note: Any directories created in the user_data directory must be writeable by members of the Kepware Server group, kepedge. Files in the user_data directory must be either world readable or owned by the group set up during installation, which is kepedge.The .config directory stores currently running configuration data of the runtime, including the currently running project file, certificate information, and other instance-specific data.
Backing up the folder containing the mounted .config folder is STRONGLY RECOMMENDED as part of an application backup strategy.