If UEM Server is installed on an NTFS partition, these file permissions are automatically set during installation.
 
The component definitions for demand-driven and event-driven UEM Servers include the location of a WORKING_DIRECTORY. By default, this is .\Universal\UEMHome.
 
When the USER_SECURITY option is enabled, and before a demand-driven UEM Server begins monitoring an event or an event-driven UEM Server executes an event handler process, the UEM Server will create a subdirectory (if it does not already exist) for the authenticated user under this working directory.
 
The name of the directory matches the ID of the user account specified from the UEM Manager command line or stored in the event handler record. If a Windows domain account is used, the name of the directory is userid.domain, where userid is the user ID and domain is the domain name. After the directory is created, the specified user account is given ownership of it and granted full control over it.

Although you can edit configuration files with any text editor (for example, Notepad), we recommend that you manage configuration options using the Universal Configuration Manager Control Panel application. Only user accounts in the Administrator group can execute the Universal Configuration Manager.

When the USER_SECURITY option is enabled, a demand-driven UEM Server requires the ID of a valid local user account before it will begin monitoring the event. A password also may be required, depending on the rules set up in ACCESS_ACL.
 
Likewise, an event-driven UEM Server requires this information to be stored in an event handler record before it can execute a process on behalf of that handler. All handler processes started by UEM Server when the USER_SECURITY option is enabled are executed in the security context of this user account.
 
UEM Server for UNIX supports three different types of user authentication methods:

1. Default authentication uses the UNIX traditional password comparison method.
2. PAM authentication uses the PAM API to authenticate users. This option is only available for certain UNIX platforms.
3. HP-UX Trusted Security uses HP-UX Trust Security APIs to authenticate users. This is only available on Hewlett Packard HP-UX platforms.

By default, supplemental group memberships are recorded in the /etc/group file. However, if an /etc/logingroup file exists, it governs all supplemental group memberships and effectively overrides the entries in /etc/group.
 

 
If any Universal Agent component fails to access system resources that are secured based on supplemental group membership, make sure that the authenticated user has an entry in /etc/logingroup, if that file exists. Otherwise, the default entry in /etc/group should be sufficient.
 
For more information about /etc/logingroup, please see the HP-UX system documentation.

When the USER_SECURITY option is enabled, a demand-driven UEM Server requires the ID and password of a valid local user account before it will begin monitoring the event. Likewise, an event-driven UEM Server requires this information to be stored in an event handler record before it can execute a process on behalf of that handler. All handler processes started by UEM Server when the USER_SECURITY option is enabled are executed in the security context of this user account.
 
To allow Windows to verify the user account information, a UEM Server will attempt to log that user on to the system via a call to a Windows system function.
 
Windows provides two types of logon methods: interactive and batch. Unless they have been explicitly denied the ability to do so, most user accounts can be validated with the interactive logon method. Conversely, a user account typically must be granted an additional privilege before they can be authenticated using the batch logon method. This privilege is shown in Windows as "Log on as a batch job."
 
For information on configuring UEM Server to use this logon method, see the UEM Server LOGON_METHOD option.