Starting with Resilio Connect v2.12 users may restrict access for Console Admin to the Agents running on their workstations.
After update or fresh install, if the Agent runs without Agent config, user is prompted for two parameters:
1) Default folder location. This is the directory defined by path macro %FOLDERS_STORAGE%. By default, all jobs configured by the Admin, using this macro, will appear in this directory.
2) Permissions for Console Admin: browse for folders outside the default folder location, and execute scripts and triggers on the agent.
If the Agent runs with the agent configuration file, the user is not prompted for the parameters on start, however it's possible to add these two to config file manually:
1) parameter "folders_storage_path"
, which is present in a default Agent configuration file;
2) parameter "mc_restricted_access"
with value true.
Here is an example of parameters from above in the agent's configuration file.
{
"folders_storage_path": "%DOWNLOADS%",
"mc_restricted_access": true,
"management_server": {
.......
Both of these can be changed later in the Agent's Options menu. Option to change the default folder location is greyed out if the configuration file contains "folders_storage_path" parameter.
Changing default folder location
This directory applies to the jobs that have %FOLDERS_STORAGE% path macro selected by admin on the Management Console.
User can change the directory path from the Agent UI, if it's not defined in the agent configuration file.
Changing the path means that already configured Synchronization jobs, that use path macro %folder_storage% on MC, will switch to the new directory. Files will not be moved from previous to the new location. Files that are already located in the new location will be synced.
Currently Active job runs for Consolidation and Distribution jobs will continue with previous directory, and the new job run will be started in the new location.
"Direct path" macro on Management Console is also resolved into this directory by default.
Changing permissions for the Admin
If user grants or takes away the permissions for the Admin, the change is applied to newly created job.
Restricted access (unchecked parameter) implies the following limitations for the Admin:
- cannot browse for folder using folder picker in the Management Console. Admin will receive the error. The "allowed directory" here is the %FOLDERS_STORAGE% path macro only to be selected in the top left dropdown.
- if admin tries using another path macro or direct path for such an agent, the job will give an error. To fix it, edit the job and use %FOLDERS_STORAGE% macro. However, if the user removes restriction while the error is on, the job will continue automatically.
- Scripts and triggers in jobs are not allowed. Such jobs will give an error on start, but won't abort the job run*.
However, if the user removes the restriction while this job run is still active, error will go away and the job run will start automatically. Other agents in the job run will at least download files from source.
*If this is not desirable, Admin might want to set up Job run timeout in Profile for such cases, so that a job run times out and aborts in a while.
- The agent will show "Yes" in Restricted Column in Agents table on MC.