File Server ACLs

From AlfrescoWiki

Jump to: navigation, search

The filesystems that are configured in the file-servers.xml file can have access controls applied to restrict access to read, read/write, or no access. The access control blocks can be specified on a per filesystem basis or globally to be applied to all filesystems, or filesystems that do not have their own set of access controls.

The simplest access control block for a filesystem can be used to set the default access :- 

 <accessControl default="Read|Write"/>

When the access control block has any rules defined, the default access may also be specified as None. If an SMB/CIFS client is granted None access to a filesystem, then that filesystem will not appear in the browse list of available shares for that client.

The access control block may contain a number of rules that allow or disallow a particular client access to the filesystem. The rules are processed such that the client receives the highest access level.

The following rules are available :-

  • <user name="..." access="Read|Write|None"/>

If the user matches name then grant them access access to the filesystem.

  • <protocol type="SMB|CIFS|FTP" access="Read|Write|None"/>

Grant access depending on the protocol being used to access the filesystem.

  • <address subnet="n.n.n.n" mask="n.n.n.n" access="Read|Write|None"/>

Grant access depending on the client TCP/IP address.

  • <address ip="n.n.n.n" access="Read|Write|None"/>

Grant access to the specified TCP/IP address.

  • <domain name="..." access="Read|Write|None"/>

Grant access to SMB/CIFS clients from the specified domain.

A global access control block may be specified within the Filesystem Security section of the file-servers.xml configuration file. The global access controls are applied to all filesystems that do not have their own specific access controls. Here is an example :- 

<globalAccessControl default="None">
 <user name="admin" access="Write"/>
 <address ip="90.1.0.90" access="Write"/>
</globalAccessControl>

Some sample access control configurations. The first sample makes a filesystem read-only :- 

<filesystem name="Alfresco">
 <store>workspace://SpacesStore</store>
 <rootPath>/app:company_home</rootPath>
 <accessControl default="Read"/>
</filesystem>

The next sample only allows read access to clients in the 90.1.x.x subnet with the admin user being allowed write access :- 

<filesystem name="Alfresco">
 <store>workspace://SpacesStore</store>
 <rootPath>/app:company_home</rootPath>
 <accessControl default="None">
  <address subnet="90.1.0.0" mask="90.1.255.255" access="Read"/>
  <user name="admin" access="Write"/>
 </accessControl>
</filesystem>

The following sample allows read access for SMB/CIFS with the admin user being allowed write access, but FTP access is not allowed :- 

<filesystem name="Alfresco">
 <store>workspace://SpacesStore</store>
 <rootPath>/app:company_home</rootPath>
 <accessControl default="None">
  <protocol type="CIFS" access="Write"/>
  <user name="admin" access="Write"/>
 </accessControl>
</filesystem>

Back to Server Configuration

Retrieved from "http://wiki.alfresco.com/wiki/File_Server_ACLs"