Restricting Access to the Vault Facility

On Windows, Micro Focus strongly recommends that you configure additional security to restrict access to your vault.

Restrict access to the vault files and to the secrets.cfg file, which contains information required to read secrets from the vault. Modifying the filesystem permissions can be used to achieve this:

  1. Create a group named, for example, "Micro Focus ES". Add the Administrators group and the LOCAL_SYSTEM account to that group.
  2. Set an inheritable Access Control List (ACL) on %PROGRAMDATA%\Micro Focus\Enterprise Developer\mfsecrets so that only the "Micro Focus ES" group can read, write, and delete.
Note: All users who start enterprise server regions from the command line need to be members of the "Micro Focus ES" group; similarly any accounts used to start enterprise server regions by running casstart (for example, schedulers) need to be members of that group; and similarly if the MFDS service account is changed, it needs to be a member of that group.