Setting Up the Transaction Agent
Never edit, rename, or move Chromeleon data in the Windows Explorer. To avoid unintentional operations on these files, use the Transaction Agent to protect the Chromeleon datasource structure against these operations in the Windows Explorer.
A Chromeleon datasource consists of a database part and a file part. When the Transaction Agent is enabled, the standard user cannot access the file part. This prevents unauthorized access to the Chromeleon file part in the Windows Explorer or via the command prompt of the operating system. The user of the Chromeleon client can nevertheless access this part via a virtual user (Target User).
Tip:
From Windows XP SP2 on, all users must have the Windows Impersonate a client after authentication privilege. Otherwise, the Transaction Agent cannot be used. To assign the Impersonate a client after authentication privilege, follow the steps below:
Log on as local administrator.
Click Start > Settings > Control Panel > Administrative Tools and double-click Local Security Policy. (Note: this path applies to Windows XP SP2; in other versions of Windows, the path may be different.)
In the Local Security Settings dialog box, click the PLUS (+) sign beside Local Policies and click User Rights Assignment and then Impersonate a client after authentication.
Add all Chromeleon client users (or a Windows user group that includes these users) and enable the privilege for these users and/or user groups.
Caution: The changes will be valid only after the next logon. If the local and the domain settings for this are different, the domain setting overwrites the local setting!
For more information, refer to the Microsoft Knowledge Base (http://support.microsoft.com), ID 821546: Overview of the "Impersonate a Client after Authentication" and the "Create Global Objects" Security Settings."
Prerequisite: Creating the (Virtual) Target User
Create a new Windows user account for the Target User. Typically, standard user rights are sufficient.
Ensure that the Target User has the Log on as a service privilege in Windows.
The Target User account needs write access to the directory (and, possibly, to the file share) that contains the CM User database
To operate Chromeleon, the virtual Target User must have at least the following rights as a standard user, e.g.:
To perform Chromeleon OQ when the Transaction Agent is enabled, the Target User must be a member of the local Chromeleon Operators group.
To control an MSQ mass spectrometer, the Target User must be a member of the local Power Users group.
To create a client datasource as Common Datasource when the Transaction Agent is enabled, the Target User must be a local administrator.
Note:
To further increase security, you may assign the Deny logon locally privilege to the Target User of the Transaction Agent (Control Panel > Administrative Tools > Local Security Policy > User Rights Assignment). This prevents anyone from logging on to the Windows desktop using the Target User account.
Installing the Transaction Agent in the User Manager
To protect Chromeleon datasources, install the Transaction Agent in the User Manager (CmUser Program):
Select User Database Policies on the File menu to open the corresponding dialog box.
On the Transaction Agent tab page, select the Use transaction agent to protect datasources check box.
Type the domain and the name of the Target User. Also, type the Target User's password that shall allow the Chromeleon client to access the datasource:
Enabling the Transaction Agent in the Security Activation Tool
Enable the Transaction Agent in the Security Activation Tool (CmSecure Program). Log on as administrator, and then:
Click Enable User Mode to enable User Mode if the Transaction Agent has already been installed in the corresponding database.
Click Change User DB to open a different CmUser database for which the Transaction Agent has already been installed.
Tips:
Verify that the regional settings of the transaction agent account and your Windows interactive user account are identical. If the decimal separators are not identical, this may cause problems with numerical data in the report and when entering numbers in the PGM Editor, especially the multi step gradient. To check your Windows regional settings, go to the Regional and Language Options on the Windows Control Panel. If necessary, select your language and country (e.g., English (USA)).
If you change the settings for the Transaction Agent in an existing CmUser Database, disable and enable User Mode again on all computers using this user database to enable the new settings.
If you change the privileges, rights, or group membership assignment of the Target User in the operating system, these modifications do not take effect while the Transaction Agent is active. To adapt the settings, restart the Transaction Agent Service.
The security settings of the Transaction Agent also apply if you start a new client. Thus, the modified Transaction Agent settings will not apply to this client either until the Transaction Agent has been restarted. To start new Chromeleon clients with the new Transaction Agent settings, restart the Transaction Agent first, and then start the clients.
For more information, refer to Setting up the Transaction Agent for Special Applications.
For an overview of the options in the User Database Policies dialog box, refer to CmUser Database Policies.