| Help - Access Control Rules | ||
|---|---|---|
Introduction
This table of access control rules defines which users from which hosts are allowed access using the specified methods to the current resource.
If no rules are provided, then by default all access is allowed.
Rules are read top-down, so ordering is important. A user is only allowed access if the combination of ALL rules that match the current request allow access. When a rule that matches the request has "Continue If Rule Matches" set to "No", then no further rules are consulted, and the decision taken so far is final.
User authentication is only performed if at least one rule has a User or Group specification. The User Database Realm in which users are authenticated is shown near the top of the page, and can be set by clicking on the hyperlink or selecting "Authentication" within the Resource/Template Editor or Wizard.
Access Permissions
The Access Permissions are a quick and simple way of managing protocol methods and sub-methods.
With the Access Permissions you do not need to specify individual methods and sub-methods, you only manage the affects of those methods and sub-methods. This means that if new methods or sub-methods are defined, you can be assured that security will not be breached, because actions implied by those methods must comply with the read, write, etc permissions that you have granted.
|
Config:/Security/Resource/*/Access/ Config:/Security/Template/*/Access/ | ||||
|---|---|---|---|---|
| Setting | Explanation | Default / Example | Data Type | Access R,W,A,D |
| Protocol | A specification of a protocol to protect. Internet protocols include
HTTP, FTP, Gopher, NNTP, POP3, and SMTP.
Multiple specifications can be separated by the '|' character. | HTTP|FTP | Text | R,W |
| Permissions | A specification of the permission settings to apply if the Protocol,
Group, User and Host filters match the current request.
If more that one rule matches the request, then the permissions are combined across all the applicable rules before access is denied or granted. If you wish to deny certain types of access, you should create a rule with "Allow Access" set to "No". You would normally place such rules after all the rules that allow access. | LRS | Text | R,W |
| Groups | A specification of a group name contained within
the authentication realm. A group name may not contain wildcard characters.
If several groups are mentioned within a single rule, the list of names must be separated by vertical bars "|". If a user matches the Group specification, but not the User specification, that user does not match against the rule. If both User and Group are "Unrestricted" then all users match the rule, regardless of their user name. | admin | Text | R,W |
| Users | A specification of a user name contained within
the authentication realm. The user name is the login name of a user, with no wildcards allowed. A special name "valid-user" matches all user names in the realm. If several users are mentioned within a single rule, the list of names must be separated by vertical bars "|".
If a user matches the User specification, but not the Group specification, that user does not match against the rule. If both User and Group are "Unrestricted" then all users match the rule, regardless of their user name. | john|simon | Text | R,W |
| Hosts | A specification of a host name or IP address. The host name is the name of a user's machine, including both the machine name and the domain name. A wildcard prefix is assumed, so that for example ".widget.com" matches with "user.widget.com" and "server.widget.com" but not with "alien.ufo.com" An IP address is specified in dotted decimal notation with a trailing wildcard assumed. So "65.43.21." will match against "65.43.21.1" but not against "65.43.210.1". If several hosts are mentioned within a single rule, the list of hosts must be separated by vertical bars "|".
| .widget.com|65.43.21. | Text | R,W |
| Allow Access | If "Allow Access" is No, it says that any users which match the current rule are NOT allowed access. Subsequent rules within the table may override this setting. After the final rule that matches is considered, a decision is made whether a user can access the resource. | Yes | Integer | R,W |
| Continue If Rule Matches | If this setting is No, it says that if a user matches this current rule, then
don't continue considering any further rules in the table when determining
that user's access rights to the resource. Rules are always scanned from top to bottom, so re-ordering the rules will affect the behaviour of the access control. | No | Integer | R,W |
Access Protocols, Methods and Sub-Methods
A Method is a command type within a Protocol.
A Sub-Method is a specialisation of a Protocol Method.
Protocol Method Sub-Method Permissions
ACDLPRWXZSExplanation HTTP DELETE D HTTP GET EXEC X HTTP GET DOCUMENT R HTTP GET INCLUDE R HTTP GET INDEX L HTTP GET SCRIPT X HTTP GET API X HTTP HEAD EXEC X HTTP HEAD DOCUMENT R HTTP HEAD INCLUDE R HTTP HEAD INDEX L HTTP HEAD SCRIPT X HTTP HEAD API X HTTP POST EXEC X HTTP POST DOCUMENT R HTTP POST INCLUDE R HTTP POST INDEX L HTTP POST SCRIPT X HTTP POST API X HTTP PUT DOCUMENT CDW HTTP PUT FORM Z FTP READ CWD L FTP READ RETR R FTP READ LIST L FTP READ NLST L FTP READ SIZE R FTP READ MDTM R FTP WRITE STOR CD FTP WRITE STOU CD FTP WRITE APPE Z FTP WRITE RNFR A FTP WRITE DELE D FTP WRITE MKD C FTP WRITE RMD D FTP UPLOAD STOR CW FTP UPLOAD STOU CW FTP UPLOAD APPE Z FTP MESSAGE INCLUDE R FTP MESSAGE DOCUMENT R FTP MESSAGE EXEC X FTP MESSAGE API X