Updating the Docroot or Restriction of a Running Watch Folder Service

If aswatchfolderadmin returns the error code err=28672 when you try to create a Watch Folder, confirm that the user's docroot or restriction allows access to the source directory specified in the JSON configuration file. You might have specified a destination that is not permitted by the docroot or restriction of the user running asperawatchfolderd, or you may have no docroot configured at all.

These instructions describe how to retrieve the docroot or restriction configuration for the user and update the docroot or restriction, if necessary. The configuration change automatically triggers asperawatchd that is associated with the user to restart.

Run the following command to retrieve the docroot or restriction setting for the user:
```
# /opt/aspera/bin/asuserdata -u username | grep "absolute"
```
```
# /opt/aspera/bin/asuserdata -u username | grep "restriction"
```
- If no docroot is configured for the user, no output is returned. Proceed to the next step to set a docroot or restriction.
- If a docroot is configured, the command returns output similar to the following:
```
canonical_absolute: "/"
absolute: "/"
```
- If a restriction is configured, the command returns output similar to the following:
```
file_restriction: "file:////*"
```
If the user's docroot or restriction does not permit access to the source folder, proceed to the next step to update the docroot.
Set the docroot for the user running asperawatchfolderd.
The docroot is a security feature that allows you to restrict the area of the file system that a user, and services run by that user such as the Aspera Watch Service, can access. If a user needs access to the entire file system, set the docroot path as /, but you cannot leave it empty.
Set the user's docroot by running the following command:
```
# asconfigurator -x "set_user_data;user_name,username;absolute,docroot"
```
For example:
```
# asconfigurator -x "set_user_data;user_name,root;absolute,/"
success
user_name: root
```
Restart asperanoded to activate your change:
Run the following commands to restart asperanoded:
```
# systemctl restart asperanoded
```
or for Linux systems that use init.d:
```
# service asperanoded restart
```

Configure a docroot or restriction for the user.

Docroots and path restrictions limit the area of a file system or object storage to which the user has access. Users can create Watch Folders and Watch services on files or objects only within their docroot or restriction.

Note: Users can have a docroot or restriction, but not both or Watch Folder creation fails.

Docroots can be set up in the GUI or command line. In the GUI, click Configuration > Users > username > Docroot and set the permitted path as the value for Absolute Path. To set up a docroot from the command line, run the following command:

# asconfigurator -x "set_user_data;user_name,username;absolute,docroot"

Restrictions must be set from the command line:

# asconfigurator -x "set_user_data;user_name,username;file_restriction,|path"

The restriction path format depends on the type of storage. In the following examples, the restriction allows access to the entire storage; specify a bucket or path to limit access.

Storage Type	Format Example
local storage	For Unix-like OS: specific folder: file:////`folder`/* drive root: file:////* For Windows OS: specific folder: file:///c%3A/`folder`/* drive root: file:///c*
Amazon S3 and IBM Cloud Object Storage - S3	s3://*
Azure	azu://*
Azure Files	azure-files://*
Azure Data Lake Storage	adl://*
Alibaba Cloud	oss://*
Google Cloud	gs://*
HDFS	hdfs://*

With a docroot or restriction set up, the user is now an Aspera transfer user. Restart asperanoded to activate your change:

Run the following commands to restart asperanoded:

# systemctl restart asperanoded

or for Linux systems that use init.d:

# service asperanoded restart