MAINTAIN SECURITY WHILE USING GRANULAR ACCESS CONTROLS
To maintain permissions security while using granular access controls, create a separate remote access account for credentials overrides.
When installing and configuring EFT, it is recommended to give your service account the least permissions or privileges necessary. However, there will be instances when expanded permissions are needed to access resources that are normally restricted, such as when one of EFT’s event rules needs to monitor or write to a network share.
Use the optional credentials override feature to maintain a least-privileges profile for the majority of EFT’s functionality, while still allowing certain EFT subsystems to access secured resources.
Optional Credentials Override Feature
With EFT’s Optional Credentials Override feature, you can specify an alternate set of logon credentials for EFT’s event rules subsystem to use when accessing network shares to which the EFT service account may not have access (due to security constraints). This allows you to work with network file servers (NetApp, Windows, SAMBA, etc) that have restricted ACLs, while still adhering to the principle of least-privileged access for your overall Managed File Transfer (MFT) application.
Alternate credentials, if specified, will cause EFT to impersonate that account, adopting that account’s permissions to access network shares from EFT’s Copy/Move, Folder Monitor, and File and Folder event rule actions.
In other words, when an alternate set of credentials is specified:
- EFT will use its current security token (associated with the "Log on as" account specified in the EFT server service settings) for LOCAL folder access, such as for download operations to a local, physical folder.
- EFT will use the new security token (associated with the alternate logon credentials) for the remote folder accessed over network connections (e.g. network shares).
How to Configure Optional Override
- From a supported event rule (such as folder monitor, file download or copy/move, or folder/file operation) locate the Optional Credentials Override field.
- In that field, type in the Windows account username and password.
- Unlike normal user account passwords, the credential override password is stored in EFT’s configuration database in encrypted, yet reversible format. This is necessary so that EFT can retrieve and use the password in an unattended fashion.