Overview

Starting with Stonebranch Solutions 4.3.0, the Universal Broker service can execute with an account other than Local System. One advantage to this updated account support is that an event-driven UEM Server may monitor files on shared network devices. This means that for the first time, an event definition may contain a file specification in UNC format (that is, \\server\share).

Event-Driven UEM Server

An event-driven UEM Server must have read access to the UNC path and the files that reside there. To accommodate event definitions that rename files (that is, the event's RENAME_FILE option value is yes), UEM must also have the authority to delete files from the shared location. Permissions for the share itself must also grant the UEM Server the authority to access and update files that reside there.

Because an event-driven UEM Server executes and performs all monitoring activity in the Universal Broker's security context, it is the Universal Broker account that must have the permissions described above.

Note

It is not necessary for the Universal Broker to be installed on the system that hosts the shared directory. However, in order to satisfy Windows authentication requirements, there must a local account on that system with the same user ID and password as the account the event-driven UEM Server is executing with.

If the Universal Broker / UEM system and the system that hosts the shared directory are members of a domain, the Broker may execute with a domain account in order to simply administration of network resources.

Configuring Universal Broker and Shared Network Location

The following steps can be used as a guideline for configuring the Universal Broker and a shared network location to support monitoring of UNC paths by an event-driven UEM Server. The specific steps required are unique to every installation and application, so please consult Windows documentation for additional information.

Step 1	Configure an account to execute the Universal Broker service. The Universal Agent install for Windows provides the opportunity to specify - and to create if necessary - a local account that can be used to execute the Universal Broker service. If you want to use an existing local or domain account, make sure it has the correct privileges (see the Universal Agent 7.2.x User Guide).
Step 2	Configure the Universal Broker on the event-driven UEM system to execute with the account from Step 1. If a local account is specified during the Universal Agent install, the Broker service will automatically start and execute with that account. If you want to use an existing local or domain account, you may specify that account to the Broker service's properties in the Windows Services configuration utility.
Step 3	Give the account the file system privileges it needs to the directory, subdirectories, and files where the Universal configuration and component definition files reside. This only applies to the system(s) on which the Universal Broker is installed. Universal configuration and component definition files reside in `%ALLUSERSPROFILE%\Application Data\Universal`. The Broker account must have read and write access to the `.\Universal` directory, its subdirectories, and files.
Step 4	Give the account the file system privileges it needs to the directory, subdirectories, and files where the Universal application files reside. By default, the Universal Agent install places files in `%ProgramFiles%\Universal (%Program Files(x86)%\Universal` on 64-bit Windows systems). The Broker account must have read and write access to the `.\Universal` directory, its subdirectories, and files.
Step 5	Give the account the file system privileges it needs to the directory and files that UEM Server will monitor (see above).
Step 6	Give the account the permissions it needs to the share itself (see above).
Step 7	Define the events to the event-driven UEM Server using the UEMLoad utility.

UEM will process files in the specified location as soon as the event becomes active and a file appears that matches the event definition. |