File Server ACLs

From alfrescowiki

Jump to: navigation, search

Warning: Archived Page
This page addresses a topic that is better suited to Alfresco's official documentation. This page is not being maintained and might not apply to modern versions of Alfresco. It is likely that we will completely remove this page in the future.

The official documentation is at: http://docs.alfresco.com The filesystems that are configured in the file-servers.xml file can have access controls applied to restrict access to read, read/write, or no access. The access control blocks can be specified on a per filesystem basis or globally to be applied to all filesystems, or filesystems that do not have their own set of access controls.

The simplest access control block for a filesystem can be used to set the default access :-

 <accessControl default="Read|Write"/>

When the access control block has any rules defined, the default access may also be specified as None. If an SMB/CIFS client is granted None access to a filesystem, then that filesystem will not appear in the browse list of available shares for that client.

The access control block may contain a number of rules that allow or disallow a particular client access to the filesystem. The rules are processed such that the client receives the highest access level.

The following rules are available :-

  • <user name="..." access="Read|Write|None"/>

If the user matches name then grant them access access to the filesystem.

  • <protocol type="SMB|CIFS|FTP" access="Read|Write|None"/>

Grant access depending on the protocol being used to access the filesystem.

  • <address subnet="n.n.n.n" mask="n.n.n.n" access="Read|Write|None"/>

Grant access depending on the client TCP/IP address.

  • <address ip="n.n.n.n" access="Read|Write|None"/>

Grant access to the specified TCP/IP address.

  • <domain name="..." access="Read|Write|None"/>

Grant access to SMB/CIFS clients from the specified domain.

A global access control block may be specified within the Filesystem Security section of the file-servers.xml configuration file. The global access controls are applied to all filesystems that do not have their own specific access controls. Here is an example :-

<globalAccessControl default="None">
 <user name="admin" access="Write"/>
 <address ip="90.1.0.90" access="Write"/>
</globalAccessControl>

Some sample access control configurations. The first sample makes a filesystem read-only :-

<filesystem name="Alfresco">
 <store>workspace://SpacesStore</store>
 <rootPath>/app:company_home</rootPath>
 <accessControl default="Read"/>
</filesystem>

The next sample only allows read access to clients in the 90.1.x.x subnet with the admin user being allowed write access :-

<filesystem name="Alfresco">
 <store>workspace://SpacesStore</store>
 <rootPath>/app:company_home</rootPath>
 <accessControl default="None">
  <address subnet="90.1.0.0" mask="90.1.255.255" access="Read"/>
  <user name="admin" access="Write"/>
 </accessControl>
</filesystem>

The following sample allows read access for SMB/CIFS with the admin user being allowed write access, but FTP access is not allowed :-

<filesystem name="Alfresco">
 <store>workspace://SpacesStore</store>
 <rootPath>/app:company_home</rootPath>
 <accessControl default="None">
  <protocol type="CIFS" access="Write"/>
  <user name="admin" access="Write"/>
 </accessControl>
</filesystem>

Back to Server Configuration

Personal tools
© 2015 Alfresco Software, Inc. All Rights Reserved. Legal | Privacy | Disclaimers | Accessibility