MALVERN ACCESS

CONFIGURATOR (MAC)
USER GUIDE
MAN0602-01-EN-00 July 2017
Copyright © 2017 Malvern Instruments Ltd.
MAN0604-01-EN-00 July 2017
Malvern Instruments pursues a policy of continual improvement due to technical development. We therefore
reserve the right to deviate from information, descriptions, and specifications in this publication without
notice. Malvern Instruments shall not be liable for errors contained herein or for incidental or consequential
damages in connection with the furnishing, performance or use of this material. No reproduction or
transmission of any part of this publication is allowed without the express written permission of Malvern
Instruments Ltd.

Head office:
Malvern Instruments Ltd.
Enigma Business Park,
Grovewood Road,
Malvern,
Worcestershire WR14 1XZ
United Kingdom.
Tel + [44] (0)1684-892456
Fax + [44] (0)1684-892789
www.malvern.com

Malvern and the 'hills' logo are registered trademarks in the UK and/or other countries, and are owned by
Malvern Instruments Ltd.

2 MAC user guide — MAN0602

Table of Contents

Configuring the Malvern Access Configurator................................ 5

Introduction ......................................................................................................................... 5
Installing the Malvern Access Configurator ........................................................................ 5
Configuring the MAC application ......................................................................................... 6
Selecting an application ...................................................................................................................6
Finding users and groups .................................................................................................................8

Configuring User Roles ..................................................................................................... 10

Role validity ...................................................................................................................................12
Creating groups of roles ................................................................................................................13
Assigning Permissions to Roles.......................................................................................................14
Controlling access to multiple applications .....................................................................................16
Creating an Administrator role when securing the MAC application ...............................................17

Exporting Security Permissions ........................................................................................ 18

Auditing and Access control .............................................................................................. 20
Audit trail ........................................................................................................................... 20
Viewing the audit trail ...................................................................................................................21

Appendix 1 – Permissions and file locations ................................. 23

Malvern Access Configurator (MAC) ................................................................................. 23
File Types and Locations ................................................................................................................23
Permissions ...................................................................................................................................23

Mastersizer 3000 ............................................................................................................... 25

Permissions ...................................................................................................................................25

OMNISEC ............................................................................................................................ 30
Permissions ...................................................................................................................................30

MAC user guide — MAN0602 3

 MicroCal PEAQ-DSC .......................................................................................................... 34
File Types and Locations ................................................................................................................34
Permissions ...................................................................................................................................35

Kinexus .............................................................................................................................. 40
Permissions ...................................................................................................................................40

Appendix 2 - Windows Security Settings ....................................... 43

Introduction ....................................................................................................................... 43
Changing the directory security permissions in Windows 7 ............................................. 43
Configuring Windows 8 / Windows 10 security permissions............................................. 46

4 MAC user guide — MAN0602

Configuring the Malvern Access Configurator
Introduction
This user guide describes the process of configuring a security system using the Malvern Access Configurator
(MAC) software package. In this guide examples are provided as to how to control access to the MAC
software package when used in conjunction with the Mastersizer 3000 software. However, the process of
enabling access control will be similar for other Malvern applications which use the MAC application for
security control, and they will be referenced as required. The only changes that will be observed between
different applications are the specific permissions which can be set for different user roles. The permissions
for each software application are listed in Appendix 1.
Further details on the MAC and its operation can be found in the application help file.

Note: commands in this guide may be different depending upon the specific software application running.
Consult your products user manual for exact details and instructions.

Installing the Malvern Access Configurator

The Malvern access configurator software is provided on the software install CD-ROM for the system you are
using.

To install the MAC:

• Open the Malvern Access Configurator directory on the CD-ROM and run the setup.exe
program.
A full set of requirements for running the MAC software are provided in the Software Update Notification
(SUN) for the application. This is provided on the software CD-ROM and is also available directly from Malvern
Instruments. Please read this prior to installing the software.
Note that, in common with all Windows applications, you must be an administrator on the host computer for
the software to be installed successfully. In addition, the MAC software uses the existing Microsoft Windows
users and groups configured on the host computer to control access to a Malvern application. As such, prior
to installing the MAC, it is important to ensure that the computer running the Malvern software is installed
on its host network. If the computer is a stand-alone system, the required users and groups must be
configured on the computer prior to the use of the MAC.
Given the above requirements, it is advised that the local IT department review the requirements for use of
the MAC application, and are present during the software installation process. If the MAC is to be configured
during a system Installation Qualification (IQ) by a Malvern representative; then ideally the computer and
Windows operating system, the users, groups and the network access should be considered before the date
of the visit, as any delays in the installation process may incur additional service charges.

MAC user guide — MAN0602 5

Configuring the MAC application
When the MAC application is first opened, you will be presented with the application window shown in
figure 1.
• Section 1 of the application window lists all the applications for which access control can be
configured using this installation of the MAC application.
• Section 2 shows all the user roles which have been set up for the controlled applications.
• Both sections are blank in figure 1, as no applications have been selected.

Figure 1: MAC application window.

Selecting an application
The first task in using the MAC is to import the permissions file (permissions.xml) for the Malvern
application you wish to control. This file lists all the securable actions, such as record creation or editing,
which can be carried out with an application. In general, the permissions file for each application software
will be stored in the Program Files directory tree on the computer running the application.

6 MAC user guide — MAN0602

For the two applications we are focusing on here — the MAC and Mastersizer 3000 — the permissions files
can be found in the following directories.
• MAC: \Program Files\Malvern Instruments\Malvern Access Configurator\Permissions.xml or
\Program Files (x86)\Malvern Instruments\Malvern Access Configurator
• Mastersizer 3000: \Program Files\Malvern Instruments\Mastersizer 3000\Permissions.xml or
\Program Files (x86)\Malvern Instruments\Mastersizer 3000
Generally, the permissions.xml file path for each Malvern application software will be
• \Program Files\Malvern Instruments\’product name’\Permissions.xml or \Program Files (x86)\Malvern
Instruments\’product name’

To import the permissions:

1. Use the File-Import permissions file menu option, or right-click the applications window (section
1 in figure 1) and click the import permissions file option.

Figure 2: MAC application following successful import of the permissions for the Mastersizer 3000 and MAC applications.

2. Select the permissions files required. Once these files have been successfully imported, you will see
each of the applications listed within the MAC software window (figure 2).

MAC user guide — MAN0602 7

Finding users and groups
The MAC application allows the access rights to be set for the Windows Users that are available to the system
being configured, either locally or via a network. The next task in configuring access rights is to create a cache
detailing the available users and groups. This can be done from the Local Options, accessed from the File-
Local Options menu item (figure 3).

Figure 3: Local options for the MAC application.

To initiate a scan:
1. Click on the Refresh Now option within the User and Groups Cache section of the Local Options
window. This will cause the application to find all the Windows users and groups accessible from
the computer and network on which the MAC application is stored. Note that, depending on the
size of your network, this action may take several minutes.
The default queries that are installed utilize Lightweight Directory Access Protocol (LDAP) to query the Active
Directory server to scan for users and groups. If after completing a scan no users or groups are found, this
could indicate that LDAP is not supported or enabled on your network and that a different method —
Windows Management Instrumentation (WMI) will be required to scan for users. This can be done by creating
your own query for finding users and groups.

8 MAC user guide — MAN0602

Creating user and group queries
Custom queries can be created by clicking on Add to the right of the User and Groups Cache section of the
Local Options window (figure 3).
Two types of queries can be created: LDAP (figure 4) or WMI (figure 5).

Figure 4: Creating a LDAP queries

Figure 5: Creating a WMI query

LDAP paths can be set to target specific areas of a network to speed up scanning and can be useful if you
have a large network.
If LDAP is not supported by your network then a Windows Management Instrumentation (WMI) query can be
used to search your network as WMI is preinstalled in Windows 2000 and newer operating systems. By not
specifying the domain or server, the query will search from the root and scan the entire network for users and
groups.
Due to a limitation in the software, if you need to change a query types between LDAP or WMI; it would be
best to create a new query and delete the old one rather than editing an existing query.

MAC user guide — MAN0602 9

Configuring User Roles
Once the users and groups accessible from the computer system have been cached, and the application
permission files have been loaded, the process of setting up roles within the MAC application can begin.
The MAC application allows different roles to be defined for users of an application software (figure 6).

Figure 6: Roles within the Malvern Access Configurator application.

Roles contain sets of permissions to perform functions. By grouping permissions to perform functions into
logical role types it is then possible to then create layers of security control within the system. For example,
• Users having the "Basic User" role might be able to run measurements, but not edit records.
• Similarly, an "Intern" role might be able to access reports, but not run measurements.

To add a role:
1. Click the Create icon within the ribbon bar. The Role Detail window will be shown (figure 7).

Figure 7: Role creation window.

10 MAC user guide — MAN0602

 2. Input the new role name, a role description and a period of validity for the role — see Role validity.
Once the role is created, it will appear in the Roles list within the main MAC software window (section 2 in
figure 1).

To add users to a role:

Once a role has been created, users from the local network can be added to it.
1. Click on the role within the MAC application window and select the View/modify ribbon bar
option.

Figure 8: Role Detail window – users and groups tag

2. This will cause the Role Detail window to appear (figure 8), with any users or groups associated
with the role being listed on the Users and Groups tab. In figure 8, two users have already been
added to the selected role, along with one group.
3. To add new users and groups to the role, click the Add button. This will display a searchable list of
all the users and groups (figure 9) found during the network scan described above.
4. Locate the users and groups required and select to add.
5. Click Ok to confirm.

MAC user guide — MAN0602 11

 Figure 9: Select users and groups

Role validity
Once the user (or group) has been added to the role, you can then configure a valid from / valid to time-
period during which the user will remain active within that role.
The period of time over which a role is active can be set within the MAC application (figure 10). This enables
roles to be created for short time periods if required, for instance to allow the completion of a specific project
by a group of users.
By default, the Valid from and Valid to dates are set as blanks, meaning that a user will immediately
become active with the role, and will remain active indefinitely.

Figure 10: Role validity

12 MAC user guide — MAN0602

Creating groups of roles
As well as being able to add users and groups to specific roles, it is possible to assign all the capabilities of
one role to another role within the MAC application. As an example, let us assume that we have created a
basic role for users who need to make measurements (QC User). We may want lab managers to be able to
make measurements as well.
1. Click on the Is a Member Of tab (see figure 11),
2. Use the Add function to include the QC Users role as part of the Lab Manager role. Lab managers
will then be able to do everything that QC users can do within the applications controlled by the
MAC.

Figure 11: Sharing the permissions associated with one role within another role. In this example, the QC User role
permissions will be inherited by the Lab manager role.

As well as being able to apply the permissions from another role to the role you are configuring, you can also
decide to share the permissions of the current role with another role within the MAC system. So, let us
assume there is a Facility Manager role, which needs to have all the capabilities of the Lab Manager role. To
set this up:
1. Access the Has These Member Roles tab within figure 12,
2. Add the Facility Manager role to the list. This will ensure that all users assigned to the Facility
Manager role will be able to access all the functions associated with the Lab Manager role.

MAC user guide — MAN0602 13

 Figure 12: Sharing the permissions associated with one role within another role. In this example, the Facility Manager
role will inherit all the capabilities of the Lab Manager role.

Assigning Permissions to Roles

Once all the roles you require are set up within the MAC application, the next step in configuring a working
security system is to assign specific software permissions to each role. To do this:
1. First select a target application from the Applications list (found in section 1 of figure 1).
2. Then, select a role from the Roles list (found in section 2 of figure 1)
3. Click on the View/modify ribbon bar icon. This will bring up the Role Detail window (figure 13).
4. Within this, select the Permissions From: tab for the application you are configuring. So, in the
case of figure 13, it is the Mastersizer 3000 application which is being configured for the QC User
role.

Note: make sure the correct application is listed in the title of the Permissions From: tab before continuing.
If it is not displayed, press Cancel and then select the correct application from the Applications list.

14 MAC user guide — MAN0602

 Figure 13: Role permissions view.

To add permissions for the target application to the active role:

1. Click on the Add button with the Permissions From: tab selected. A Select Permissions From:
window will then open, within which you will see a list of permissions you can set for the target
application. As an example, some of the configurable permissions for the Mastersizer 3000
application are shown in figure 14. The full list of configurable permissions for the Mastersizer 3000
and other Malvern applications is shown in the Appendix 1.

Figure 14: Permissions for the Mastersizer 3000 application.

MAC user guide — MAN0602 15

 2. Use Ctrl-Click to individually select the permissions within the list that you want to assign to the
current role, or Use Ctrl-A to select all permissions. Clicking OK will add the selected permissions to
the role. Follow the same procedure to select permissions for all the other roles you have
configured.

Controlling access to multiple applications

Once the permissions have been set for one application within each role, access permissions can be
configured for the same set of roles for any other application controlled by the MAC. To do this:
1. Select a new application from the Applications list,
2. Select the role of interest from the Roles list and click View/modify. As an example, access to the
MAC application may be required for the facility managers group mentioned above.
3. To enable access, select the MAC application and the Facility Manager group and click
View/modify. The permissions can now be set for the MAC application, in the same way as for the
Mastersizer 3000 application (figure 15).
Note that in this case, the Permissions From: tab confirms that it is the Malvern Access Configurator
Version application which is being configured rather than the Mastersizer 3000 application.

Figure 15: Assigning permissions for the MAC application to a role.

16 MAC user guide — MAN0602

Creating an Administrator role when securing the MAC application
It is advisable to create an Administrator role to which you assign the current user and others who are
authorized to use the MAC, i.e. the user account you are logged-in as when using the MAC. The role should
be given full permissions to access all features of the MAC. This will ensure that you will not lock yourself out
of the system and will always have a way in to reconfigure access control for other users. You may also
choose to assign other users or groups to the Administrators role.

Note: Malvern does not have a “secret role” or password to enable access if you have locked yourself out of
the system.

MAC user guide — MAN0602 17

Exporting Security Permissions
When you have finished configuring all the roles required for your organization, the final stage in setting up
the security system for a given application is to export the access control settings from the MAC application
and import them into the host application.

To export the security settings:

1. Select the application of interest from the Applications list.
2. From the ribbon bar, select the Export settings file option. This will cause an Export Access
Control Settings window to appear (figure 16).

Figure 16: Exporting access control settings.

3. Use the button to select a file name and directory.

It is suggested that the access control settings file is stored to the following directories, to ensure that the
settings can be found in the future:
• MAC: \ProgramData\Malvern Instruments\Malvern Access Configurator\MAC Security.xml
• Mastersizer 3000: \ProgramData\Malvern Instruments\Mastersizer 3000\Configuration
Files\MS3000 Security.xml
Generally, the security.xml file path for each Malvern application software will be
• \ProgramData\Malvern Instruments\’product name’\ Configuration Files\MS3000 Security.xml
However, if you wish to apply the same access control settings to multiple instances of the target
application, you may wish to save the access control settings file to a network location instead.

Note: Once the permissions file has been created, it is important that deletion of the file is prevented using
the Windows operating system file access controls. Read, write and modify access must, however, be
maintained. The file is protected against unauthorized changes using applications other than the MAC.
Unauthorized changes will therefore be detected by the host application. Appendix 2 in this document lists
the files used by the MAC and provides advice regarding how these can be secured to prevent unauthorized
changes to the MAC security and audit functions.

Importing the security settings:

Finally, within the host application (i.e. Mastersizer 3000), you must now enable security and import the
access control settings from the file(s) you have just saved.

18 MAC user guide — MAN0602

Note: Opening the Access control setting will depend upon the specific software application running.
Consult your products user manual for exact details and instructions.

For the Mastersizer 3000, this is done from the Options window.
1. Select the Access Control settings and select Enable Access Control (figure 17). This can only be
carried out if you are an administrator on the computer hosting the Mastersizer 3000 software.
2. To ensure you are an administrator, you will be required to re-authenticate (1).
Enter your password and click the blue arrow icon. If authentication is successful, the Browse…
button will become active.
3. Click the Browse… button and select the access control settings file you wish to use. (2 – in this
case the Mastersizer 3000 Access control file). Clicking OK will cause the access permissions stored
in the file to be applied. This is confirmed within the status bar of the application.

Figure 17: Enable Access Control

A similar process needs to be followed to secure the MAC application. Select the File-Local Options menu
item. This will cause the Local Options window to appear (figure 3). From within this, click the Browse…
button within the Access Control section of the window. Using this, find the access control settings file you
saved.
Once this is loaded, security control of the MAC application will be enabled. This will be confirmed within the
status bar of the application.

MAC user guide — MAN0602 19

Auditing and Access control
The functions described above for the MAC application can be powerful in scope, in that access to other
applications can be easily enabled and disabled. For this reason, access to the MAC application should be
controlled within your organization.
You may wish to limit the number of systems the MAC is installed on to prevent unauthorized access. You
can also use security system within the MAC application to control access. Access rights for different roles can
be configured for the MAC application using the process described in this document. Security is then enabled
by opening the Local Options window using the File-Local Options menu item. Within the Local Options,
locate the Access Control section and click Enable. You can then select the permissions file you have
created for the MAC application. A list of the permissions which can be assigned to roles for the MAC
application is provided in the appendix to this document.

Audit trail
You may also wish for all MAC activity to be recorded in an audit trail. To do this, open the Local Options
window again. Within this, there is an Audit trail section. To enable the audit system, click the Enable
button and then click OK (figure 18).

Figure 18: Viewing the Audit Trail in the MAC

The fact that the auditing is active will be reported within the status bar of the application. Once auditing is
enabled, the audit trail provides information on any changes made to the access control and security
configuration controlled by the MAC.

20 MAC user guide — MAN0602

Viewing the audit trail
Audit trails can be viewed using the options on the Audit Trail section of the ribbon bar (figure 19). The
options are:
• View audit trail
• View audit trail (including archives)
• Select audit trail to view.
Click View audit trail and the audit trail will be shown in a tab, which details all non-archived system events
that have been recorded. Items are presented in this window in chronological order, with the most recent
item at the top of the list. To include items that have been archived, choose View audit trail (including
archives) instead.

Figure 19: Viewing the Audit Trail in the MAC

For each audit entry, the type of action and the time it was performed is logged along with the user and
computer details. The column headers can be sorted to view the data. Double-clicking on an audit entry will
bring up additional information in the right-hand pane.
The Select audit trail to view button opens a file selector window where you can select another Malvern
application’s audit trail file to be displayed in the MAC.
• More details are contained in the MAC help file

Note: Appendix 2 in this document lists the files used by the MAC and provides advice regarding how these
can be secured to prevent unauthorized changes to the MAC security and audit functions.

MAC user guide — MAN0602 21

22 MAC user guide — MAN0602
Appendix 1 – Permissions and file locations
Malvern Access Configurator (MAC)
File Types and Locations
The MAC software uses a series of different file types to store data and settings. These are described below,
in order to help users who wish to secure the MAC software using the Microsoft Windows security and
access settings. Guidance regarding how to set up the security settings is provided in the Windows Security
Settings section of this appendix.

File Type Extension Default Path Advised security setting for

21CFR Part 11 Mode

Prevent deletion of the files in

C:\ProgramData\Malvern
this directory. However, read,
Audit trails .xml Instruments\Malvern Access
write and modify access must
Configurator\Audit Trails
be maintained.

Exported from the Malvern

Access Configurator (MAC)
application. The directory is
Prevent deletion this file once
user-specified. Malvern advise
Security it is created. However, read,
.xml that the file should be stored
configuration file write and modify access must
in the
be maintained.
C:\ProgramData\Malvern
Instruments\Malvern Access
Configurator directory.

Full access must be

Various system C:\ProgramData\Malvern
maintained to this directory
wide configuration Various Instruments\Malvern Access
for the program to function
files Configurator
correctly.

Permissions
The security permissions that can be set for different Groups within the MAC software are detailed below.

Permission Permission Description Typical access required

Section

Import permissions Import the permissions file for Usually enabled for
Files
file an application administrators only

MAC user guide — MAN0602 23

 Delete permissions Delete the permissions file for
file an application

Export an access control

Export application
Files settings file for any
access control
(continued) application (e.g.
settings
permisions.xml)

Open any audit trail file for

View audit trail files
viewing

View Roles View the details of a role

Create Roles Create new roles

Usually enabled for
Roles Delete roles Delete an existing role administrators only
Modify the details of an
Modify roles
existing role

24 MAC user guide — MAN0602

Mastersizer 3000
Permissions
The security permissions that can be set for different Groups within the Mastersizer 3000 software are
detailed below.

Permission Permission Description Typical access required

Section

Access is normally enabled

Enables print and batch
Print Report for those users making
printing of reports
routine measurements.

Create or Edit Create new reports or edit Access is normally enabled

Reports Reports existing reports for lab supervisors or method
Delete Report Delete an existing report developers.

Access is normally enabled

Choose which reports to
Select Reports for those users making
show as tabs in the software.
routine measurements.

Extracts the SOP

Extract SOP measurement settings from a
measurement record.

Create a new measurement

Create SOP file Access is normally enabled
SOP
for method developers or
Open an existing SOP file in other advanced users.
SOP Open a SOP file the application to enable it to
be edited

View SOP summary

View the summary report
report

Access is normally enabled

View SOP history View the SOP version history for lab supervisors, reviewers
and administrators.

Save an SOP in the SOP Editor

Save SOP Access is normally enabled
following an edit.
SOP Editor for method developers or
Save an SOP under a new other advanced users.
Save SOP As
name from in the SOP Editor

MAC user guide — MAN0602 25

 Save an SOP as a Template
SOP Editor Save SOP As
SOP which can be used as the
(continued) Template
starting point for new SOPs.

Edit the settings for a

Edit Measurements measurement record and
recalculate the result Access is normally enabled
Edit the result emulation for method developers or
Edit Result Emulation factors used to transform the other advanced users.
Factors result to match another
technique

Access should be disabled for

Delete
Delete measurement records all users when following
Measurements
21CFR Part 11 requirements.

Copy measurement records

Measurements Copy Measurements to clipboard from the records
view Access is normally enabled
for method developers or
Paste copied measurement other advanced users.
Paste Measurements records into the currently
opened measurement file.

Create a blank new Access is normally enabled

Create New
measurement file for the for those users making
Measurement File
storage of records routine measurements.

Creates an averaged result

Access is normally enabled
Create Average from a selected range of
for method developers or
Results measurements within the
other advanced users.
records view.

Open SOP Player and allow Access is normally enabled

Start SOP Player creation, editing and running for method developers or
of SOP Playlists other advanced users.

Access is normally enabled

Start SOP
Run an SOP measurement for those users making
Measurement Measurement
routine measurements.
Initiation
Run an SOP as a Performance
Access is normally enabled
Verification measurement
Start PV SOP for lab supervisors and
(enables PV certificate to be
Measurement Malvern service and support
produced for latex
representatives
measurements)

26 MAC user guide — MAN0602

 Run an SOP as a QAS Glass
Bead Performance
Start PV QAS SOP
Verification measurement
Measurement measurement
(enables a PV certificate to be
Initiation produced)
(continued)
Access is normally enabled
Start Manual
Run a manual measurement for method developers or
Measurement
other advanced users.

View Audit Trail with View archived audit trail

Archive information Access is normally enabled
for lab supervisors, reviewers
View current audit trail and administrators.
View Audit Trail
information

Configure the frequency at

Configure Audit Trail Access is normally enabled
which the audit trail is
Auditing Archive Schedule for administrators.
archived

Open the Audit Trail storage

Open Audit Trail
folder from within the Access is normally enabled
Folder
software for lab supervisors, reviewers
View Measurement View the audit trail associated and administrators.
Audit Trail with a measurement record

Add a user macro to the

Add a user macro Access is normally disabled
software
Macro for all users when applying
Delete a macro from within 21CFR Part 11 requirements.
Delete macro
the software

Open the accessory control Access is normally enabled

Launch Accessories
Accessories panel in order to manually for method developers or
Control
control the accessory other advanced users.

Access is normally disabled

Scripting Launches the MS3000
Launch Script Engine for all users when applying
Engine Scripting Engine
21CFR Part 11 requirements.

Access is normally enabled

Access to maintenance
Engineering Open Maintenance for lab supervisors or other
controls
advanced users.

Initiates the export of Access is normally enabled

Data Export Initiates Data Export measurement data into other for method developers or
formats (e.g. csv file format) other advanced users.

MAC user guide — MAN0602 27

 Create or Edit data Create or edit data export
Data Export export templates templates
(continued) Delete Data Export Delete existing data export
templates templates

Open the database of

Open Material
materials for viewing and
Database Access is normally enabled
editing
Data base for method developers or
Open the database of other advanced users.
Open Dispersant
dispersants for viewing and
Database
editing

Configures the measurement

Configure Record
parameters to be displayed in
View
the record view.
Access is normally enabled
Show only the current version
for lab supervisors or method
Show Current of measurement records in
Record View developers, and may be
Results the records view (previous
enabled for users making
versions are hidden).
routine measurements.
Show all measurement
Show All Results records, including previous
versions, in the Record View.

Performance Access is normally enabled

Generate a PV certificate for
Verification Generate PV for lab supervisors and
a set of selected
Procedures Certificate Malvern service and support
measurement records.
(PV) representatives.

View the signature history Access is normally enabled

View Record
associated with a for lab supervisors and
Signature History
measurement record. reviewers.

Allows a user to add a

signature but leaves the Access is normally enabled
Non Locking Sign-off record open to being signed for those users making
Electronic
by other users or edited if routine measurements.
Signatures
required.

Allows a user to add a file,

locking signature to a Access is normally enabled
Locking Sign Off measurement record, for lab supervisors and
preventing the record from reviewers.
being changed.

28 MAC user guide — MAN0602

 Allows users to change Access is normally enabled
Change Workspace between the private and for method developers or
shared workspaces. other advanced users.
Security Allows users to change the
Access is normally enabled
Modify Company company information and
for lab supervisors or
Information logo in the program options
administrators.
(v3.20 software or earlier)

Optical Allow users to open the Access is normally enabled

Open Optical
Property optical property optimizer for method developers or
Property Optimizer
Optimization method development tool other advanced users.

MAC user guide — MAN0602 29

OMNISEC
Permissions
The security permissions that can be set for different Groups within the OMNISEC software are detailed
below.

Permission Permission Description Typical access required

Section

Allow user to add the

Add Baselines
baselines

Allow user to open data into

Open/Import/Export
the analysis view, also import
Analysis data
and export data

Allow user to edit a

Edit Method calculation method in the
analysis view

Allow user to edit run

Edit Run conditions
conditions of an injection
Analyses

Allow user to create a

Create a calculation
calculation method in the
method
analysis view

Allow user to add the

Add Baseline
baseline

Add Limit Allow user to add the limit

Allow user to auto set the

Auto Set Limits
limits

30 MAC user guide — MAN0602

 Allow user to delete the
Delete Limits
limits

Allow user to auto set the

Auto Set Baselines
Baselines

Analyses
Delete Baseline Allow user to delete Baseline
(continued)

Allow user to delete all

Delete Baselines
baselines

Allow user to save the

Save
baselines and limits

Allow user to edit a

Edit Sequence
sequence

Allow user to edit instrument

Edit Instrument
setup before running
Setup
sequences

Allow the user to use the

instrument control panel -
note users without this
Data privilege will be unable to
Instrument controls
Acquisition stop or start the pump, but
will be prompted to turn
system into standby mode
when exiting the software

Allow the user to execute

Execute Baseline
the Baseline Monitor
Monitor
process.

Allow the user to execute a

Execute Quick Run
Quick Run.

MAC user guide — MAN0602 31

 Allow User to run a
Run Sequence
sequence
Data
Acquisition
(continued)
Stop Data Allow User to Stop Data
Acquisition Acquisition

Allow user to edit created

Edit a report
reports

Reporting Allow user to configure

Configure visible which reports are visible in
reports and delete the analysis view, this also
reports enables custom reports to be
deleted

Allow user to access the

Access utility
utility databases e.g.
databases
solvents, columns

Allow user to add items to

utility databases - save
Add utility data
permission must also be
Utility given to save the item
Databases
Allow user to delete items to
Delete utility data
utility databases

Allow user to save changes

Save utility data
items to utility databases

Allow User to view Audit

View Audit Trail
Trail Records
Auditing
Commands
View Audit Trail
View Audit Trail With History
With History

32 MAC user guide — MAN0602

 Archive Audit Trail Archive Audit Trail

Auditing
Open Audit Trail Open Audit Trail Folder
Commands
Folder Location
(continued)

View Item Audit Allow User to view Item

Trail specific Audit trails

Electronic Allows the non locking sign

Sign Off
Signatures off of a record

MAC user guide — MAN0602 33

MicroCal PEAQ-DSC
File Types and Locations
The MicroCal PEAQ-DSC software uses a series of different file types to store data and settings. These are
described below, in order to help users secure the software using the Microsoft Windows security and access
settings. Guidance regarding how to set up the security settings is provided in the Windows Security Settings
section of MRK2306.

File Type Extension Default Path Advised security setting for

21 CFR Part 11 Mode

Prevent deletion of the files

C:\ProgramData\Malvern
in this directory. However,
Audit trails .xml Instruments\Malvern Access
read, write and modify
Configurator\Audit Trails
access must be maintained.

User typically do not require

C:\Users\Public\Documents\ access to modify files in this
Configuration Malvern folder other than during
Various
Files Instruments\MicroCal PEAQ- system setup, for example
DSC\Config enabling 21 CFR features or
adding a license file.

C:\Users\Public\Documents\ Prevent deletion of the files

Malvern in this directory. However,
Experiment Data .dscx
Instruments\MicroCal PEAQ- read, write and modify
DSC\DSC Experiments access must be maintained.

Prevent deletion this file

C:\Users\Public\Documents\ once it is created. However,
Malvern read, write and modify
Log data .log
Instruments\MicroCal PEAQ- access must be maintained
DSC\Logs for users with rights to
amend security permissions.

C:\Users\Public\Documents\ Prevent deletion of the files

Malvern in this directory. However,
Measurements .dmes
Instruments\MicroCal PEAQ- read, write and modify
DSC\Measurements access must be maintained.

C:\Users\Public\Documents\ Prevent deletion of the files

Malvern in this directory. However,
Methods .dscm
Instruments\MicroCal PEAQ- read, write and modify
DSC\Methods access must be maintained.

34 MAC user guide — MAN0602

 C:\Users\Public\Documents\ Prevent deletion of the files
Malvern in this directory. However,
Reports Various
Instruments\MicroCal PEAQ- read, write and modify
DSC\Reports access must be maintained.

Exported from the Malvern

Access Configurator (MAC)
Prevent deletion this file
application. The directory is
once it is created. However,
user- specified. Malvern
Security read, write and modify
.xml advise that the file should be
configuration file access must be maintained
stored in the C:\
for users with rights to
\ProgramData\Malvern
amend security permissions.
Instruments\MicroCal PEAQ-
DSC Software

Full access must be

Various C:\ProgramData\Malvern
maintained to this directory
system wide Various Instruments\Malvern Access
for the program to function
configuration files Configurator
correctly.

Permissions
The security permissions that can be set for different Groups within the MicroCal PEAQ-DSC software are
detailed below.

Permission Permission Description Typical access required

Section

Allows users to abort the

current list of running Access is normally enabled
Stop Experiments sequences and return for lab supervisors, reviewers
remaining sequences to the and administrators.
Sequences List
Instrument
Allows users to set the Access is normally enabled
Set Idle Temperature temperature that the for lab supervisors, reviewers
instrument will idle at. and administrators.

Allows users to change email Access is normally enabled

Email Settings
configuration settings. for administrators.

Access is normally enabled

Experimental Allows user to open a saved
Open Method for those users making
Parameters method as a sequence.
routine measurements.

MAC user guide — MAN0602 35

 Allows users to edit the run Access is normally enabled
Update Parameters parameters of sequences for method developers or
whilst a run is in progress. other advanced users.

Allows users to save the Access is normally enabled

Save Sequence current sequence as a for method developers or
method. other advanced users.

Access is normally enabled

Allows users to run
Run Sequences for those users making
Sequences.
Experimental routine measurements.
Parameters
(continued) Access is normally enabled
Allows users to save a load
Save Load Template for method developers or
as a template.
other advanced users.

Allows user to set or update Access is normally enabled

Set Well Location the well locations used in a for those users making
sequence. routine measurements.

Allows the user to edit the Access is normally enabled

Edit Sample Details sample- specific parameters for method developers or
in the sequence. other advanced users.

Access is normally enabled

Allows users to perform a for lab supervisors and
Clean
maintenance clean. Malvern service and support
representatives.

Access is normally enabled

Allows users to replace the for lab supervisors and
Change Syringe
syringe. Malvern service and support
representatives.

Maintenance
Access is normally enabled
Allows users to replace the for lab supervisors and
Replace Needle Seal
needle seal. Malvern service and support
representatives.

Access is normally enabled

Allows users to perform for lab supervisors and
Valve Switch
maintenance valve switching. Malvern service and support
representatives.

36 MAC user guide — MAN0602

 Access is normally enabled
Maintenance Export the collected idle data for lab supervisors and
Export Idle Data
(continued) to file. Malvern service and support
representatives.

Access is normally enabled

Add a record to the
Add Record for lab supervisors, reviewers
measurement file.
and administrators.

Access is normally enabled

Allows users to save the
Save for those users making
open measurement file.
routine measurements.

Allows users to save the Access is normally enabled

Save As open measurement file as a for method developers or
new measurement file. other advanced users.

Access is normally enabled

Allows users to open a
Open Analysis for those users making
measurement file.
routine measurements.

Access is normally enabled

Create Allows users to create a new
for lab supervisors, reviewers
measurement file measurement file.
and administrators.
Analysis Access is normally disabled
Allows users to remove a for all users when applying
Remove Experiment
record from the analysis. 21 CFR Part 11
requirements.

Allows users to create a copy Access is normally enabled

Duplicate Record of the record in the for method developers or
measurement file. other advanced users.

Allows users to create a new Access is normally enabled

Average Record record that is an average of a for method developers or
selection of records. other advanced users.

Access is normally enabled

Allows users to assign a
Edit Buffer for method developers or
record’s buffer.
other advanced users.

Access is normally enabled

Edit Baselines Allows user to edit baselines. for method developers or
other advanced users.

MAC user guide — MAN0602 37

 Access is normally enabled
Allows users to edit fitting
Edit Fit for method developers or
models and/or parameters.
other advanced users.

Allows users to enable or

Automatically enabled when
disable forced auto-saving of
Auto-Save applying 21 CFR Part 11
measurement file during
features.
analysis.
Analysis
(continued) Allows users to export
Access is normally enabled
Export Analysis analysis settings for
for method developers or
Settings application on other
other advanced users.
experiments’ analysis

Allows users to import

analysis settings from a Access is normally enabled
Import Analysis
previous measurement for for method developers or
Settings
application on the current other advanced users.
analysis

Allows users to edit reports

Access is normally enabled
Reports and scripts in the Report
Reports for method developers or
Administrator Designer and select the
other advanced users.
default report selection.

Allows users to change the

Set Experiment data Access is normally enabled
default directory for saving
folder for administrators.
raw experiment data files.

Allows users to change the

Access is normally enabled
Folder Options Set Methods folder default directory for saving
for administrators.
method files.

Allows users to change the

Set Measurement Access is normally enabled
default directory for saving
data folder for administrators.
measurement files.

Allows users to enable Access is normally enabled

Enable Auditing
Auditing. for administrators.
21 CFR Part 11 Allows users to change the
Audit trail archiving Access is normally enabled
frequency that the software
frequency for administrators.
will archive audit trails.

38 MAC user guide — MAN0602

 Disable Access Allows users to disable Access is normally enabled
Control Access Control. for administrators.
Access Control
Change Access Allows user to change the Access is normally enabled
Control File Access Control settings file. for administrators.

Access is normally enabled

Allows the users to export a
Export License for lab supervisors, reviewers
license.
and administrators.
Licensing
Allows user to replace the Access is normally enabled
Replace License current license with a new for lab supervisors, reviewers
license. and administrators.

Allows user to enter Service Access is normally enabled

Service Service Mode
Mode. for administrators.

Enable electronic Access is normally enabled

Enable electronic signatures
Signatures for administrators.

Disabled electronic Access is normally enabled

Disable electronic signatures
signatures for administrators.
Electronic
Signatures
Allows the user to add a Access is normally enabled
Non-locking Sign-off non-locking signature to a for those users making
record routine measurements.

Access is normally enabled

Allows the user to add a
Locking Sign-off for lab supervisors, reviewers
locking signature to a record
and administrators.

MAC user guide — MAN0602 39

Kinexus
Permissions
The security permissions that can be set for different Groups within the Kinexus software are detailed below.

Permission Permission Description Typical access required

Section

Open sequence for editing or

Edit sequence
viewing.

Create sequence Create a new sequence.

Save sequence Save a sequence.

Sequences
See the first item under
Run sequence Run a sequence. “Notes to the System
Administrator”.

Edit favorites Edit list of favorite sequences.

Restricts the menus and the

Save data Save data to a results file. Data Management action and
sequences containing it.

Restricts ability to delete

nodes from a results file. See
Delete data from a results
Delete data the second item under
file.
“Notes to the System
Administrator”.

Results Restricts renaming nodes in a

Edit data Edit data in a results file. results file or editing sample
properties.

Restricts the use of the

Import data Import data from a text file. Import Data action and
sequences containing it.

Restricts the use of the Export

Export data Export data to a text file. Data action and sequences
containing it.

40 MAC user guide — MAN0602

Results
Hide data Hide data in a chart or table.
(continued)

Access Tools -> Use the Tools -> Options

Options menu.

Administration Install key for a licensed

Install license key
Functions feature.

Enable Engineering
Enable Engineering mode.
Mode

Auditing View audit trail View audit trail files.

Apply non-locking Apply a non-locking signature

signature to a results file or sequence.
Signatures
Apply locking Apply a locking signature to a
signature results file or sequence.

MAC user guide — MAN0602 41

42 MAC user guide — MAN0602
Appendix 2 - Windows Security Settings
Introduction
For this section, it is assumed that you have the required administrator rights for the system upon which the
Malvern software is being installed; allowing you to install or update software and configure windows
security permissions.

Changing the directory security permissions in Windows 7

Using Windows Explorer, navigate to one of the directory folders that need to be secured, as listed in the
Malvern Access Configurator (MAC) File Types and Locations section (for example: Audit trails).
1. Right-click on the folder and through the context menu open the folder properties. Within this,
switch to the security tab:

Figure 20: Folder properties

2. Within the Security tab, click on the Advanced button. This will cause the Advanced Security
Settings to be displayed. Within this window click on the ‘Change Permissions…’ button. This will
bring up the permissions tab:

MAC user guide — MAN0602 43

 Figure 21: Permissions tab

3. Clear the checkbox ‘Include inheritable permissions from this object’s parent’, shown in the
window above. If a warning is displayed Add the parent settings before changing the security
settings. This will prevent modifications to parent directories overriding the changes which are being
implemented:

Figure 22: Inherited permissions

4. Next, Check the ‘Replace all child object permissions…’, as shown above (figure 21). This will apply
the changes we make to permissions for all files in this directory.

44 MAC user guide — MAN0602

 5. Select the Users group and Edit the group’s permissions. This causes the Permission Entry
window to appear:

Figure 23: Permission entry

6. Allow access to all permissions except for:

• Full Control
• Delete subfolders and Files
• Delete
• Change Permissions
• Take Ownership
7. Ensure that the Apply To setting is changed to This folder, subfolders and files.
8. Clear the ‘Apply these permissions to objects…’ checkbox as shown above. Then, click OK to apply
the security settings.
9. Follow the procedure for the audit trail directory, security permissions file and general configuration
files directory. The location of these directories are provided in the Malvern Access Configurator
(MAC) File Types and Locations section above. This section details individual file types which must
be controlled and the level of control required.

MAC user guide — MAN0602 45

Configuring Windows 8 / Windows 10 security permissions
Navigate to one of the directory folders that need to be secured, as listed in the Malvern Access
Configurator (MAC) File Types and Locations section above.
1. Right-click on the folder and through the context menu open the folder properties. Within this,
switch to the security tab:

Figure 24: Folder properties

2. Within the Security tab, click Advanced. This will cause the Advanced Security Settings to be
displayed. Within this window click on the ‘Change Permissions…’ button. This will bring up the
permissions tab:

46 MAC user guide — MAN0602

 Figure 25: Permissions tab

3. Disable the inheritance by selecting the Disable inheritance shown in the figure above. If a
warning is displayed, select Convert the inherited permissions into explicit permissions:

Figure 26: Inherited permissions

This will prevent modifications to parent directories overriding the changes we are implementing.
4. Next, Check the ‘Replace all child object permissions…’ option shown above. This will apply the
changes we make to permissions for all files in this directory.

MAC user guide — MAN0602 47

 Figure 27: Advanced security settings

5. Select the Users group specifically for Read & execute that applies to This folder, subfolders and
files and select to Edit the permissions. This will cause the Permission Entry window to appear:

Figure 28: Permission entry

48 MAC user guide — MAN0602

 6. In the Permission entry window, toggle the view to show Advanced permissions. Then, allow access
to all permissions except for:
• Full Control
• Delete subfolders and Files
• Delete
• Change Permissions
• Take Ownership
7. Ensure that the Applies To setting is still This folder, subfolders and files.
8. Clear the ‘Apply these permissions to objects…’ checkbox as shown above. Apply the setting and
select OK to close the window. This will configure the security settings.
9. Follow the procedure for the audit trail directory, security permissions file and general configuration
files directory. The location of these directories are provided in the Malvern Access Configurator
(MAC) File Types and Locations section above. This section details individual file types which must
be controlled and the level of control required.

MAC user guide — MAN0602 49