Tenant Administration

Tenant manager scope is defined for tenant administrator. For a multi-tenant CentreStack system, each tenant has an administrator. For a single-enterprise CentreStack system, the default cluster administrator is also the tenant administrator.

Tenant Manager is completely web-based.

You will access the tenant manager by clicking on the “Management Console”.

_images/image020.png

Dashboard

Upon entering the Management Console, you will see the dashboard.

_images/image021.png

Collaboration

Collaboration has three tabs – Team Folder, Shared Objects and Storage Manager.

_images/image022.png

Team Folder – The team folder concept is like a network share, meaning you can define a folder and then add users and groups to the team folder. The team folder will show up in the user’s folder list when the user is added to the team folder. When the server agent is in use, the team folder can be mapped directly to a server agent created network share.

Shared Objects – Shared Objects are shared folders and shared files from user to user. It is like peer to peer sharing and the shared items are not limited to files, it can be files and folders.

_images/image023.png

Storage Manager – You can mount different storage services into a single namespace. For example, if you have multiple Amazon S3 buckets, you can mount them all in. If you have multiple OpenStack Swift accounts, you can mount them all in as well. If you have multiple file server network shares, you can add them to the storage manager.

There are two links,

Attach Cloud Storage – for object storage services such as OpenStack Swift or Amazon S3.

Attach Local Storage – for block storage services such as Network Share.

_images/image024.png

Storage Manager Properties – Local Storage.

“Always access the storage using logon user identity” – When you have Active Directory Integration, and mount an existing file server network share in, you can select to “Always access the storage using logon user identity” so the ACL on the file server share will be used natively. The access permission will be checked natively against the user’s Active Directory identity.

“The share is from a Linux/Unix/ZFS server” – Most of the time, you don’t want to check this flag because your file server share shall behave like a normal Windows Server share, even if it doesn’t come from Windows Server. In some small SOHO network storage devices, it may only allow one connection from one IP address, so if that is the case, you want to check this flag. Most of the time, you just don’t need to check this when the network share is capable of taking multiple connections/sessions from one single machine.

“This share is a DFS share”– If the share is a DFS share, you will check this checkbox, because DFS share has an extra layer of translation to translate back down to normal file server shares.

_images/image025.png

Storage Manager – Cloud Storage Property

Besides local storage, you can also mount cloud storage into the system. If you have Amazon S3, or Amazon S3 compatible storage service, or if you have OpenStack or OpenStack Swift compatible storage, you can connect it into the system. You can see the full list of storage services supported, including SoftLayer Object Storage, Google Cloud Storage, Microsoft Azure storage and more.

_images/image026.png

User Manager

User manager has four tabs – User Manager, Guest User Manager, Group Manager and Role Manager.

_images/image027.png

Regular User Manager

The first tab is the Regular User Manager. These are the users that have full privilege of home directory, sharing and other features. If you have Active Directory, normally these are the users in the Active Directory.

Guest User Manager

Guest users are users that don’t have a home directory. The only folder they have is “Files Shared with Me”. So they rely on other “Regular User” sharing files and folders with them before they can do anything. If nobody is sharing anything with a guest user, the guest user doesn’t have any read/write permission to any folder.

Group Manager

When you have Active Directory integration, you will leverage Active Directory group instead. This group manager is to create group of users in a simple way. It is not as complicated as Active Directory (such as supporting nested groups) but make it easy for non-Active Directory users.

Role Manager

Role Manager is to provide role based administration. For example, you may want to provide read-only permissions to some users. You can also assign some group policies to some groups of users.

Group Policy

_images/image028.png

Group Policy –Security

“Allow users to attach external cloud storage” – when checked, you will allow users to see storage manager and allow them to attach external storage such as their own Amazon S3 bucket into the system.

“Disable Versioned folder” – Normally you will NOT disable versioned folder. Because versioned folder is the supporting feature for “Two-way sync locally attached folder”. If you disable versioned folder, you will lose the two-way synchronization folder feature as well.

“Allow creating guest user” – When checked, you will allow creating of guest user when team user share files or folders with external users. When disabled, the file/folder sharing is limited to regular users only or anonymous users only.

“Allow Cluster Admin to manage my tenant” – when enabled, the cluster admin will be able to use “open” link to manage the tenant in the tenant manager.

“Enable distribution group detection in file/folder sharing user interface” – With active directory integration, sometimes you want to share files and folders with a distribution group. This feature allows detection of distribution group and expand the group so the sharing will be done with the users in the group, instead of using the group as a single user.

“Disable team-user share home directory content externally” – This feature disables the ability for regular user to share home directory contents for security reasons.

“Don’t show folder that user doesn’t have read permission” – With native Active Directory integration and with network share as backend storage, the user’s permission to the folders are checked natively. When this option is set, for those folders that users doesn’t have read permission, the folder will be hidden.

“User must login to access shared files/folders” – When sharing files and folders with users, you can force the sharing to create guest accounts for users that are not already in the system. It is more secure when asking the receiver of the share to sign in to receive shared items. This disables the anonymous sharing.

“Don’t append (Team Folder) to published folders” – A team folder by default, when showing up in a team user’s folder list, it will have “(Team Folder)” appended to the end of the folder name to signify it is a team folder. This feature allows a team folder showing up as it is without the (Team Folder) suffix. The use case is that when a network share is mounted and then turned into a team folder, since the users are already familiar with the network share in its original name, so it is not necessary to append (team folder) to the folder name. You shouldn’t change this setting in the middle of operation because if users have pending upload/download, changing the name could cause those tasks to fail.

“Show ‘Security’ Options” – The security option is for delegated administrators. Each management scope such as team folder, storage manager may be protected by a “security” option. By default, only tenant administrators can access these administration pages. But if you want to expose the management scope to more users, you can expose the ‘security’ option to define more users for only “Team Folder’ or only for “Storage Manager” and etc. This feature may be overlapping with the Role Manager. You can also create roles and assign users to it to achieve the same goal.

“Access management related pages from Intranet Only” – Intranet is defined as 10.x.x.x or 192.168.x.x kind of IP addresses. Usually you can achieve the same functionality by disable the management functionality on external facing worker nodes but enable that for an internal facing worker node. But if your intranet meets certain IP address criteria, you can use this setting to achieve that goal too. It is a security feature to limit the management scope to intranet only. As mentioned above, an alternative way is to go to the cluster manager, then cluster server farm and disable the “management functionality on this node”.

_images/image029.jpg

“File upload and download must go through worker node” – For Amazon S3 type of cloud storage/object storage, it is recommend NOT to force file upload and download going through worker nodes, because Amazon S3 is good for offload the upload/download to between the access clients and the backend Amazon S3 storage. However, for OpenStack Swift storage, depending on how it is setup, you may want to turn this on to force File Upload/Download going through worker node for security reason.

“Disable User’s home directory” – For some organization, they want all users work inside team folder. These organization doesn’t want users to have home directory – perceived to have personal documents. This feature can disable the user’s home directory. Usually this setting is combined with publishing of team folders to all active directory users.

“Show User list in sharing dialog” – This is a convenience feature, if you want to have user list in the sharing dialog so it is easier to share without typing. However, it may be conceived as a security issue since user’s emails are showing up.

“Only allow sending shares to the specified domain” – You can further limit the sharing to some domain instead of random email. For example, if your primary collaboration target is with ACME corporation and you can limit the sharing to your domain and also ACME domain.

“The Account lockout threshold sets the number of invalid logon attempts that are allowed before an account is locked out.” - You can force lock out of an account. This setting is independent of your Active Directory account lock out if you enabled Active Directory integration. For example, if your Active Directory account lock out is 7 times, and you can set CentreStack accout lock out to 5 times, smaller than your Active Directory account lock out.

“Expiration Time for Shared Folder/File (Days):”– When set, during the file/folder sharing wizard, the expiration time dropdown selection will not be shown, it will be pre-set to expiration set in here.

“Don’t create a guest user account if the recipient is from the following domain”– If guest account is not created, these sharing will be with email address only.

Group Policy – Client Control

_images/image030.png

“Enable Distributed locking when accessing files” – In CentreStack, there are two ways to lock files, one is manually by right click on a file and do “Check out”. The other way is automatic based on certain binary executables. For example, you can see Microsoft Office executable files like winword.exe and so on.

“Lock file exclusively” – When set, the other user won’t be able to open the file for edit.

“Delay sync until file is unlocked” – It is recommended to check this setting. Most users have habit to save files in the middle of editing. You don’t want these edit to go every time to the cloud for these intermediate saves. You want to do a save to the cloud at the end like a grand finale. So you can delay sync until file is unlocked.

“Disable backup/attach local folder from client device” – Attached Local Folders are two-way synchronization folders. In order to do version backup and two-way synchronization, there are multiple folder structures created in the backend storage. Some organization doesn’t need this feature and want the users to work exclusively with the cloud drive.

“Disable folder download from web client” – The folder download from web client will zip up the folder and download it. It is CPU intensive so if you don’t want it to be consuming too much CPU, you can disable it.

“Hide ‘Files shared with me’ folder” – Some organization wants users to work exclusively inside a team folder, without home directory and without the peer-to-peer sharing folder.

“Create a shortcut in the documents library” – This is a convenience feature to add a link to documents library to the cloud drive.

“Create shortcut on desktop” – Same as above but the shortcut is on the desktop.

“Disable Search” – If you don’t need the search by file name feature, you can disable it.

“Web Browser - Disable Java Uploader” – Some organization standardized on web browser, for example, all web browser are HTML5 compliant. In this case, Java Uploader is not necessary and could be confusing to support when different users have different Java version installed.

“Web Browser - Disable Flash Uploader” - Some organization standardized on web browser, for example, all web browser are HTML5 compliant. In this case, Flash Uploader is not necessary and could be confusing to support when different users have different Flash version installed. Different kind of web browser may also have different levels of Flash support, causing different behavior.

“Enable Tabbed-Browsing in User Manager” – When enabled, the user manager will order users by their last name so if you have many users, you have an easy to access way to find the users.

“Only show search interface in User Manager” – When you have even more users, Tabbed-Browsing can’t handle it any more, you can enable search-only interface.

“Hide Settings in Windows Client Management Console” – The Settings in the Windows client may be viewed as “too much information for normal user”. If that is the case, you can disable that.

“Don’t Allow Setting Changes in Windows Client Management Console” – When you want the client settings to be centrally controlled.

“Allow syncing empty file”– By default, empty file (0-byte) will be skipped for syncing in attached folder. when enabled, those files will be synchronized.

“Don’t show top help panel in web portal” – In the web portal for new users, it may show a help panel about where to download client and those kind of information. The panel may be viewed as clunky for experienced user so it is possible to hide it by group policy.

“Allow attaching folder in proxy mode” – proxy mode is a mode that the local folders are not actually going to the cloud, but instead, the access are proxy back to the local folder. It is not a usual mode of operation so if you need it from server agent, you can enable it. By default it is disabled.

“Show advanced setting in team folder publishing dialog” – The advanced setting refers to “Create CIFS Share”, “Disable further sharing”, and “Disable Offline Access” settings.

_images/image031.png

“Disable Windows client in-place upload” – Normally you don’t want to disable it. If it is disabled, the files that are being uploaded will be copied into cache first before upload, thus creating two copies of the same file in the file system, one at the original place, one in the cache.

“Disable Auto-Login next time” – When you want the user to type in username/password every time they login to the Windows client, you can disable auto-login.

“Disable drag & drop handler” – Normally you will not disable it. If it is disabled, the Windows file drag and drop will take over, this typically means the files will be copied into cache before upload, thus resulting in two copies of files being uploaded.

“Enable snapshot backup for server agent” – It is a feature related to server agent on Windows 2003-2012 servers.

“Enable auto-install of Outlook Plugin”– CentreStack Windows Desktop client comes with outlook plug-in. If enabled, the outlook plugin will be enabled upon client running.

“Files with the following extensions will be excluded from uploading” – You can stop certain file types from being uploaded. For example .pst file. These are local outlook email file, which is not necessary to put to cloud storage because usually it is backed up by exchange server.

“In-place editing/Preview is disabled for files with following extension” – Windows Explorer has a habit to peek into large files to generate thumbnail and present other information. It may not be a good fit for cloud drive files because each peek will generate a download from cloud.

Group Policy - Retention Policy

_images/image032.png

The cloud monitoring service on the CentreStack system will be responsible for the retention policy.

“Keep Last n version s of each file in the versioned folder” – You can decide how many versions of files to keep in the version folder.

“Only purge version file that is more than n days old” – security feature. For example, there is a virus modified the same file many times so it created many versions causing good old versions to be scheduled for deletion. However, with this set, the good old versions will be kept for at least the amount of days so give enough time to recover.

“Keep deleted files in versioned folder for n days” – When a file is deleted in the version folder, it is not actually deleted. It will be kept for several days defined here.

“Keep file change log for n days” – file change log is the biggest database table and could be growing without trimming. You can decide how often you want to trim the table.

_images/image033.jpg

“Default Storage quota” – This policy will not affect existing user and their quota. It can affect newly created user for the default storage quota.

“Create default folders” – When the new user account is provisioned, the default root folder is empty. “Create default documents and pictures folder” will make the root folder look less empty and more user friendly. It is kind of like a hint for how to organize files and folders in the cloud.

Group Policy - Password Policy

_images/image034.jpg

You can enforce password policy for users in the system. Normally the Active Directory user’s password complexity is already enforced by Active Directory. This setting is used to control users that are not in the Active Directory. For example, guest users.

Group Policy - Client Settings Manager Policy

_images/image035.png

You can define server side setting that override the client side of the settings. When the settings are set in the server side, the client side of the settings will lose precedence to the server side settings.

Tenant Administrators

You can define a group of administrators here.

_images/image036.png

Reports

You can see upload report, storage statistics, team folders, audit trace, and file change logging.

Upload Report

_images/image045.png

Storage Statistics

_images/image046.png

Team Folders

_images/image047.png

Audit Trace

Audit trace contains the management events, such as login success, login fail , shared a folder and etc.

_images/image040.png

File Change Log

File change log is capable of search for user’s file change history. It is most useful when helping user troubleshoot issues. For example, you can point to the file change log and say, you deleted this file on this day.

_images/image041.png

Advanced Information

Account Information

_images/image048.png

Active Directory Settings

_images/image037.png

“Enable Active Directory Integration” – You will check this when you want to integration with Active Directory.

“Domain Controller Address” – The domain controller’s address, typically in the form of DNS name.

“User Name” – This is recommended to be a service account (password never expire, account never disable” so the user will be able to query LDAP for users and authenticate users on the login user’s behave.

“Password” – This is the password for the service account for the “User Name” field.

“Friendly Domain Name” – This is typically the domain name you see in the Microsoft Domain and User tool. It needs to be exact match of the domain name. Otherwise, you will see error message about “referral is required” , which translates to the domain controller didn’t match the domain name and need to refer you to somewhere else for another domain name.

_images/image038.jpg

“Only Include users in Organization Unit” – when you type in the organization unit, you don’t need to type the domain part any more. It just need the Organization Unit part of the string. This is allowed for only single Organization Unit specified in its distinguishedName format without the domain suffix.

“Allow Switching to Global Catalog” – For some organization that has multiple domain, sometimes there is a Global Catalog that stores everything inside. This may be required if you have such situation.

“Disable Nested Group” – Normally you will disable this if you have many groups. The nested group may slow down the look up and login speed.

“This is the root of the AD forest and contains multiple sub-domains” – CentreStack support multiple domains in the same AD forest. You will need to point to the root of the AD and it is capable of finding all the sub-domains.

“Don’t allow user auto-creation” – By default, the Enterprise package is capable of creating users upon first login into the web portal. However, for big enterprise, they may want to control the pace of adding users to the system so they will disable this feature.

“Publish user’s home drive” – In the user’s Active Directory profile, there is a setting about home directory. The same home directory setting can be used to map user’s active directory home directory in to the cloud drive’s home directory.

_images/image039.jpg

My Devices

It is similar to Client Device Manager. It is looking at user’s devices from a different perspective.

_images/image042.png

Client Device Manager

This feature is used to control BYOD. For some organization, they want to control who can bring what device into the system. This is the tool to control that and allow/disallow on a device by device basis.

_images/image043.png

Helping and Supporting User’s File and Folder List

_images/image044.png

An admin can view a user’s file and folder list using the eye icon for the user in Management ConsoleUser Manager.

Storage Location Migration

There are two types of storage migrations.

1. Migrate data to a different location in the same type of storage using the steps below:
  1. Identify the location of the current storage
  2. Copy the content to the new location (for example, you can use xcopy . from the old location to the new location
  3. Login to web portal as master admin.
  4. Launch Management ConsoleCollaborationStorage Manager and click on edit to point to the new location
2. Migrate data to a different type of storage using the steps below:
  1. Go to the registry using regedit
  2. Go to HKLMSOFTWAREGladinetEnterpriseand add a new string value called ‘CanChangeDefaultStorage’ and set the value to ‘True’ and reboot
  3. Edit the storage type using new icon to edit storage under Cluster ManagerTenant Manager

Note

It is not recommended to modify registry settings. Take a backup of the registry before modifying any registry settings.