Share and File System Permissions

Required Share Permissions

For the DSM share, user accounts need Full-Control. The effective user permission is configured on the directory.

Required File System Permissions

Account Permissions on Network Files
DSM Runtime Service

Local administrator on all managed computers.
This user account is automatically added by DSM as a local administrator.

Instead of a dedicated user account the SYSTEM account of the managed computer can also be used.
Depot access
(managed computers)

Read permission of the DSM Runtime Service for the depot share and all subdirectories.

If you do not want to use a dedicated account, the permission can also be granted on the basis of Active Directory computer accounts (see below).
Depot access
(Client Proxy - OSD only)

Read permission of the Client Proxy for the depot share and all subdirectories.

It is absolutely necessary to enter a user account when using DSM OS Deployment if there is no account specified for the depot access on managed computers.
Distribution Service

Read and Write permission for the depot share and all subdirectories – including the right to delete (modify) files.

If you do not want to use a dedicated account, the permission can also be granted on the basis of Active Directory computer accounts (see below).
To ensure security of the repository data, other than the DSM administrators, only this account should have Write access to the depot share!
Service Installation Service (SIS)

Local administrator on all computers which are to be managed.

If you do not want to use a dedicated account, the permission can also be granted on the basis of Active Directory computer accounts (see below).
BLS Authentication

The user account is automatically defined as 'Supervisor' in DSM and does not need special file system permissions.
User group with access to the private key

The user group automatically gets Read and Write access to the \\<DSM Share>\config\key directory. The account of the Distribution Service must be member of this group.

If you don't want to use a separate account for the Distribution Service, make sure that the Active Directory computer account of the Management Point is member of the group.

All users

Read permission for the depot share and all subdirectories
In some cases DSM can work without this permission, see KB 19535 for more information.

Read permission in the repository cache of a managed computer
DSM Packager Read permission for the depot share and all subdirectories
DSM Administrators Read and Write permission for the depot share and all subdirectories

To execute actions on the computer where it is installed (Management Point!), a service automatically uses the local SYSTEM account. Therefore, the SYSTEM account on this computer needs the same file system permissions as the account for the respective service.

Using Computer Accounts for Authentication

If you do not want to use an individual account for a DSM Service, make sure that the account of the computer you are using for running the Service, owns the right access permissions.

Note the following requirements when you are using a computer account:

  • Active Directory is required
  • The service is installed on a computer that is using at least Windows Vista or Windows Server 2008 as operating system.
  • You must enable the following policy on the computer:
    Network security: Allow Local System to use computer identity for NTLM

      This is the default with newer operating systems; with Windows Vista or Windows Server 2008, you must activate the policy directly.