WebSentinel Admin
This chapter describes other features offered in the WebSentinel Admin application which were not documented in the previous chapter. Of particular importance is the section on Understanding Realm Priorities, which is a vital topic needed to prevent confusion with multiple realms that match a single URL request.
- Groups for Shared Permissions
- Expiration Options for Users
- Auto-login using Workstations
- Searching for Users
- Understanding Realm Priorities
- Importing User Data
- Exporting User Data
Groups for Shared Permissions
WebSentinel allows you to organize your web site users into groups that have shared access to realms. Using the groups functionality in WebSentinel is an easier way to manage realm access for large sets of users. When realm access is granted or removed from a group, all members of the group will be affected by the changes made.Open the Groups window by either double-clicking on the icon in the Admin palette or choose "Groups" from the Window menu. Initially, the window will be empty as WebSentinel ships with no groups defined for use. To create a new group, choose "New Group" from the File menu, and an empty new group detail window will be shown. To designate a user as a member of your new group, simply drag their user icon into the "Users" pane of the group detail window. Assigning realm access is the same as with users, simply drag the realm icon into the "Realms" pane of the group detail window.
Figure 4.1: An example "Sales" group.
After creating the example "Sales" group, all members have access to the "Phone Extension Listing" and "Employee Handbook" realms on the server. Any additional users who are added to this group will gain these same permissions, and users removed will lose them.
When a user is a member of a group that provides access, their user detail will display their group membership in addition to any permissions they inherit from the group. Here is an example user detail window for a member of the "Sales" group.
Figure 4.2: Example User detail with group membership.
Notice that the realm names are italicized, indicating the access is provided by a group. This particular user also has direct access (not provided by a group) to the "Log Files" realm.
Administration Groups
Sometimes it is useful to have a set of users that have access to every realm, without having to update their privileges every time a new realm is created. Doing this in WebSentinel 2.0 is easy with Admin Groups, since an Admin Group automatically has access to all realms.
To create an admin group, first open the main groups window. Then choose New Admin Group from the File Menu, or hit Command-shift-N. A new Admin Group user will be added and opened. To assign users to that group, simply select a set of users and drag them into the users pane of the Admin Group detail window. You can always identify an Admin Group by the dark outline around it's icon.
Expiration Options for Users
One of the most exciting new features of WebSentinel 2.0 is the ability to have user accounts expire. Once a user expires, they will no longer be able to access pages in a protected realm. The expiration feature is very flexible, allowing the administrator to setup a user to expire on a given date, or after a number of days, or even after a number of requests for a certain realm. This feature is very useful for subscription-based sites, making the setup of user accounts that automatically expire a breeze.
To set a user's expiration options, first open the user detail for the user by double-clicking on it. Then choose User Options from the Edit menu, or click on the Options button in the user detail window.
Auto-login using Workstations
In addition to a basic user, you can now define special "workstations" that represent a given machine or range of machines. Workstations act just like users in that you can assign them to realms and groups, but they differ in that workstations are automatically logged in to the web server if they match. For example, if a workstation is defined with an address that starts with "127.0", any machine that request a protected realm which that workstation belongs to, as long as their IP address starts with 127.0 (for example, "127.0.0.1"), will automatically be let into the realm. If the check fails, then the user is prompted to login as they normally would have to. This feature allows you to setup a group of machines (for example, any machine at your office) that gets immediately let in; when a user tries to get into the protected area from home, though, where the IP address would not match, he can enter his username and password and still be let in.
To create a new workstation, first open the main users window by clicking on the users icon of the WebSentinel floating window (or by choosing the appropriate target from the Window menu). Then simply choose New Workstation from the File menu, or hit Command-shift-N.
Searching for Users
There are two different methods of finding users with WebSentinel Admin, depending on your needs:- Find User
- Choosing "Find" from the File menu allows simple searching capabilities on any
open Users window listing. Type in the name or partial name of the user you are
looking for, and if there is a match that user will be selected for you in the
Users window.
Figure 4.3: Finding any user that contains "Mar" in their name.When finding matches, WebSentinel performs a "contains" search and is not case sensitive. So if you were to find all users that match "Mar" possible matches include "marvin", "Marilyn", or "Ingmar".
Figure 4.4: Sample results of Find "Mar".Choosing "Find Again" from the File menu will find the next user in the Users window that matches the same requirements.
- Lookup User
-
If you need to find a user but wish to do so without opening up a User listing, which
can take some time with a large database, an alternate finding technique is provided
using Lookup User.
Choosing "Lookup User" from the File menu allows exact user searching capabilities on any active database target. Type in the exact name of the user you wish to find in the specified database target, and if there is a match that user's detail window will be opened.
Figure 4.5: Lookup user named "Marilyn" in the Built-in people target.When finding a match, WebSentinel performs an "is" search and is not case sensitive. So to find a user using this method you must specify a complete name. Partial name searches using Lookup User will return nothing.
Understanding Realm Priorities
It is important to understand how realm priorities work with WebSentinel, particularly if your site has many realms defined. This chapter will present an example site's configuration that has been defined with some errors, discuss the problems shown and present the solution.To see the order in which realms are evaluated, open the Realms window in WebSentinel Admin and sort by the Priority column.
Figure 4.6: Example realm listing with an error.
In the above example, a realm has been defined to protect all pages containing the match string "/internal/". Additionally, realms have been defined to protect the employee handbook and a list of direct phone extensions. We also see that WebSentinel's default realms are defined and active.
There are several problems with the above configuration, which is where realm priorities come into play. Let's take a closer look at each realm defined listed in order of priority:
Realm Name Realm Type Match String 1 Plug-in Administration Authenticate (HTTP) pi_admin 2 Log Files Authenticate (HTTP) .log 3 Plug-in Data Folder Always Deny /Plug-ins/ 4 Company Intranet Always Deny /internal/ 5 Employee Handbook Authenticate (HTTP) /internal/handbook/ 6 Phone Extension Listing Authenticate (HTTP) /internal/phonelist/
Looking at the above table, it appears that we have properly protected the primary areas within the site so we can designate access to the employee handbook and phone extension listing while protecting the entire internal portion of the site from outside users. So, if we give a user access to the "Employee Handbook" realm they should be able to access it with no problems, right? If you were to try the above scenario on your site you'll find that this does not work correctly. When a user tries to access the Employee Handbook they will be served the No Access page with no option to enter a username and password.
When a user requests the page at http://www.mysite.com/internal/handbook/index.html WebSentinel will compare the URL with each defined realm in order of priority. Looking over the above table, the first match WebSentinel will find is the "Company Intranet" realm at which point it will immediately deny access since this realm's action is "Always Deny". So, with the above configuration WebSentinel never even checks the "Employee Handbook" or "Phone Extension Listing" realms because "Company Intranet" will always be checked first!
Additionally, WebSentinel will always check "Plug-in Administration", "Log Files", and "Plug-in Data Folder" prior to the primary realms protecting the site. Every check that WebSentinel performs takes a bit of processing time, so if we were to re-order the realms we could probably save the server a bit of time (considering that the server must perform these checks for every requested page).
Figure 4.7: Corrected realm listing.
The above image shows the Realms window configured to act as we originally intended. Now, a user with access to the "Employee Handbook" realm can successfully enter that section of the site without first hitting the "Company Intranet" realm. We've also moved some of the lesser-hit realms to the bottom of the priority list so we don't waste time checking for them. The speed achieved by this is probably not noticeable, but every tick (1/60th of a second) counts when you have a site with heavy load!
Forget how to re-order realms? Sort the list by the Priority column
then click on a realm's icon and drag it to the new location. You cannot
re-order realms if the list is not sorted by the priority column.
Following our examples above, here is a table depicting the corrected realm priorities:
Realm Name Realm Type Match String 1 Employee Handbook Authenticate (HTTP) /internal/handbook/ 2 Phone Extension Listing Authenticate (HTTP) /internal/phonelist/ 3 Company Intranet Always Deny /internal/ 4 Plug-in Administration Authenticate (HTTP) pi_admin 5 Log Files Authenticate (HTTP) .log 6 Plug-in Data Folder Always Deny /Plug-ins/
Importing User Data
If you have an existing database with user information you would like to use, it will save a great deal of time if you import these users into WebSentinel rather than manually entering them. This technique works with most third-party database products, such as Claris' FileMaker Pro, Everyware's Butler SQL, or ACI 4D. Any database software that supports exporting to a tab-delimited text file should work just fine.When importing existing data, there are three types of information that WebSentinel can use: a username, password, and a realm name to assign the user to. Both the password and realm name fields are optional, so you can import a list of usernames and assign passwords and privilages later using WebSentinel Admin.
WebSentinel expects the data to be in a specific format, so when exporting from your existing database be sure to specify the order of the fields that are being exported so they match the pattern:
<username><TAB><password><TAB><realm name><RETURN>
After exporting your user data in the format described, launch WebSentinel Admin and connect to your web server. Next, open the Users window you wish to import into so it is the front-most window. Then, choose the "Import Users" item from the File menu and select the tab-delimited file you wish to import from.
Figure 4.8: Selecting the tab-delimited file to import.
The process may take some time if you are importing a large number of users. A progress bar is shown during the import to let you know what stage of the import WebSentinel is at. After all users have been imported, WebSentinel will combine privileges for users listed multiple times in the file.
Figure 4.9: Importing users.
If you are using the default "Built-in people" target you may need to increase the available memory for WebSentinel to handle the larger set of users. See the Other Troubles section of the Troubleshooting chapter for more information on adjusting WebSentinel's available memory.
Exporting User Data
If you need to export your user data from WebSentinel for use with other applications or databases, you can easily do so by first opening the Users window you wish to export and choosing "Export Users" from the File menu.There are two options for exporting users: WebSTAR format or a custom tab-delmited format which you define. The custom export option allows you to pick and choose which fields to export, and may be useful if exporting users into another database system.
Figure 4.10: Selecting fields for export.
If you choose WebSTAR format the user data will be written to the file with the following format:
<username><TAB><password><TAB><realm name><RETURN>
If you want to specify which fields to export, choose the custom radio button. After choosing which files you wish to exoprt, or after choosing to use the WebSTAR format, click on the "Export" button and choose where you would like the text file saved to begin exporting. A progress bar is shown while the export is taking place to let you know what stage WebSentinel is at.
Figure 4.11: Exporting users.