Saturday, July 14, 2018

windows - Microsoft Azure Remote App User Folder Permissions




We are exploring Microsoft Azure Remote App as a solution for running a Windows-only version of Quickbooks in our Mac-centric environment. This solution meets the objectives of extending application functionality in a secure and isolated manner, while eliminating some of the overhead and cost of deploying a full terminal services infrastructure. One challenge we are facing is where best to store our Quickbooks data file such that any Remote App user can access it.



Microsoft recommends that you "Store all user data in user profiles or other storage locations external to the service, such as on-premises file shares or OneDrive" in Remote App Best Practices.



Since each user profile is folder redirected to 50GB data volume, and our Quickbooks file is less than 100MB, my thought was to store the Quickbooks file in the user folder of one of our users and simply use file system ACL's to allow the other users access. No data other than a single Quickbooks file will be stored and all 3 users can have equal access.



I was able to successfully grant the other users access to the requisite user folder and apply the necessary permissions by temporarily publishing Explorer as a remote app to interact with the file system. However, when I test access the other user do not have sufficient access.




  • Is what I am trying to accomplish even possible in this context?


  • How else might I accomplish sharing the Quickbooks data file amongst users within the Remote App environment?


Answer



Azure RemoteApp profile storage is stored as VHD's which are mounted to the users profile when they login, so if the user who has the document is not logged in the folder won't be accessible, it's also possible permissions will be reset when it is mounted.



If you can't use a service like OneDrive, then one thing you could use is Azure Files, which will allow you to map a drive to an Azure storage account, and all users can share this location. The only issue with this is that access is via storage key, which will be visible to all users who need to map the drive and so they could take this key and access the storage from other machines, or if they leave the company (and you don't rotate it). If this is not an issue then this would likely work well.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...