Help

Introduction

This is a list of security rules defining which users from which hosts are allowed access using the specified methods to the current resource.

If no rules are provided, then by default all access is allowed, subject to any user authentication specified.

Config:/Security/Resource/*/Access/
Config:/Security/Template/*/Access/

SettingExplanationDefault /
Example
Data
Type
Access
R,W,A,D
Protocol A specification of a protocol to protect. Internet protocols include HTTP, FTP, Gopher, NNTP, POP3, and SMTP.
Multiple specifications can be separated by the '|' character.
HTTP TextR,W
Method A specification of a Method within a Protocol to protect.

For example, common HTTP methods are:

  • GET - document retrieval
  • HEAD - status header query
  • POST - form submittal
  • PUT - document creation
The FTP methods are:
  • READ - file retrieval
  • UPLOAD - file uploads (incoming directory)
  • WRITE - deletion and directory manipulation
  • MESSAGE - message file display

Multiple specifications can be separated by the '|' character.
GET TextR,W
SubMethod A specification of a Sub-Method within a Protocol Method to protect. For example, the HTTP GET method has sub-methods of:
  • EXEC - executes a program on the server from within an HTML document
  • DOCUMENT - returns a document
  • INCLUDE - allows server-side include directives, but not EXEC unless explicitly mentioned
  • INDEX - allows on-the-fly directory index generation
  • SCRIPT - allows execution of CGI scripts
  • API - allows execution of API scripts
and the FTP sub-methods are based on the command set:
  • RETR - file retrieval
  • STOR - file upload
  • STOU - unique file upload
  • APPE - append to file
  • DELE - delete file
  • LIST - directory listing
  • MKD - create directory
  • RMD - delete directory
  • SIZE - file size
  • MDTM - file modification time
  • INCLUDE - recursive message file inclusion
  • DOCUMENT - message file inclusion
  • EXEC - command execution within message file

Multiple specifications can be separated by the '|' character.
EXEC TextR,W
Users A specification of a user name or group name contained within the authentication realm.

The user name is the login name of a user, with no wildcards allowed. A special name "valid-user" matches all user names in the realm.

A group name must be contained in square brackets "[]", again with no wildcards allowed.

If several users are mentioned within a single rule, the list of names must be separated by vertical bars "|".

john|simon|[admin] TextR,W
Hosts A specification of a host name or IP address.

The host name is the name of a user's machine, including both the machine name and the domain name. A wildcard prefix is assumed, so that for example ".widget.com" matches with "user.widget.com" and "server.widget.com" but not with "alien.ufo.com"

An IP address is specified in dotted decimal notation with a trailing wildcard assumed. So "65.43.21." will match against "65.43.21.1" but not against "65.43.210.1".

If several hosts are mentioned within a single rule, the list of hosts must be separated by vertical bars "|".

.widget.com|65.43.21. TextR,W
Negate If Negate is TRUE, it says that any users which match the current rule are NOT allowed access. Subsequent rules within the table may override this setting. The final rule that matches is considered the last word on whether a user can access the resource. FALSE IntegerR,W
Stop If Stop is TRUE, it says that if a user matches this current rule, then don't continue considering any further rules in the table when determining that user's access rights to the resource.
Rules are always scanned from top to bottom, so re-ordering the rules will affect the behaviour of the access control.
TRUE IntegerR,W