File Server ACLs

Document created by resplin Employee on Jun 6, 2015
Version 1Show Document
  • View in full screen mode

Obsolete Pages{{Obsolete}}

The official documentation is at: http://docs.alfresco.com



Authorization
The filesystems that are configured in the file-servers.xml file can have access controls applied to restrict access to read, read/write, or no access. The access control blocks can be specified on a per filesystem basis or globally to be applied to all filesystems, or filesystems that do not have their own set of access controls.

The simplest access control block for a filesystem can be used to set the default access :-

 <accessControl default='Read|Write'/>

When the access control block has any rules defined, the default access may also be specified as None. If an SMB/CIFS client is granted None access to a filesystem, then that filesystem will not appear in the browse list of available shares for that client.

The access control block may contain a number of rules that allow or disallow a particular client access to the filesystem. The rules are processed such that the client receives the highest access level.

The following rules are available :-


  • <user name='...' access='Read|Write|None'/>

If the user matches name then grant them access access to the filesystem.


  • <protocol type='SMB|CIFS|FTP' access='Read|Write|None'/>

Grant access depending on the protocol being used to access the filesystem.


  • <address subnet='n.n.n.n' mask='n.n.n.n' access='Read|Write|None'/>

Grant access depending on the client TCP/IP address.


  • <address ip='n.n.n.n' access='Read|Write|None'/>

Grant access to the specified TCP/IP address.


  • <domain name='...' access='Read|Write|None'/>

Grant access to SMB/CIFS clients from the specified domain.

A global access control block may be specified within the Filesystem Security section of the file-servers.xml configuration file. The global access controls are applied to all filesystems that do not have their own specific access controls. Here is an example :-

<globalAccessControl default='None'>
<user name='admin' access='Write'/>
<address ip='90.1.0.90' access='Write'/>
</globalAccessControl>

Some sample access control configurations. The first sample makes a filesystem read-only :-

<filesystem name='Alfresco'>
<store>workspace://SpacesStore</store>
<rootPath>/app:company_home</rootPath>
<accessControl default='Read'/>
</filesystem>

The next sample only allows read access to clients in the 90.1.x.x subnet with the admin user being allowed write access :-

<filesystem name='Alfresco'>
<store>workspace://SpacesStore</store>
<rootPath>/app:company_home</rootPath>
<accessControl default='None'>
  <address subnet='90.1.0.0' mask='90.1.255.255' access='Read'/>
  <user name='admin' access='Write'/>
</accessControl>
</filesystem>

The following sample allows read access for SMB/CIFS with the admin user being allowed write access, but FTP access is not allowed :-

<filesystem name='Alfresco'>
<store>workspace://SpacesStore</store>
<rootPath>/app:company_home</rootPath>
<accessControl default='None'>
  <protocol type='CIFS' access='Write'/>
  <user name='admin' access='Write'/>
</accessControl>
</filesystem>

Back to Server Configuration

Attachments

    Outcomes