This is a list of security rules defining which users from which hosts are allowed access using the specified methods to the current resource.
If no rules are provided, then by default all access is allowed, subject to any user authentication specified.
Rules are read top-down, so ordering is important. A user is only allowed access if ALL rules that match the current request allow access. When a rule that matches the request has "Continue If Rule Matches" set to "No", then no further rules are consulted, and the decision taken so far is final.
User authentication is only performed if at least one rule has a User or Group specification. The User Database Realm in which users are authenticated is shown near the top of the page, and can be set by selecting "Authentication" within the Resource/Template Editor or Wizard.
Config:/Security/Resource/*/Access/
| ||||
---|---|---|---|---|
Setting | Explanation | Default / Example | Data Type | Access R,W,A,D |
Protocol | A specification of a protocol to protect. Internet protocols include
HTTP, FTP, Gopher, NNTP, POP3, and SMTP.
Multiple specifications can be separated by the '|' character. | HTTP | Text | R,W |
Method | A specification of a Method within a Protocol to protect.
A complete table is provided at the end of this page.
For example, common HTTP methods are:
Multiple specifications can be separated by the '|' character. | GET | Text | R,W |
SubMethod | A specification of a Sub-Method within a Protocol Method to protect.
A complete table is provided at the end of this page.
The HTTP GET method has sub-methods of:
Multiple specifications can be separated by the '|' character. | EXEC | Text | R,W |
Groups | A specification of a group name contained within
the authentication realm. A group name may not contain wildcard characters.
If several groups are mentioned within a single rule, the list of names must be separated by vertical bars "|". If a user matches the Group specification, but not the User specification, that user does not match against the rule. If both User and Group are "Unrestricted" then all users match the rule, regardless of their user name. | admin | Text | R,W |
Users | A specification of a user name contained within
the authentication realm. The user name is the login name of a user, with no wildcards allowed. A special name "valid-user" matches all user names in the realm. If several users are mentioned within a single rule, the list of names must be separated by vertical bars "|".
If a user matches the User specification, but not the Group specification, that user does not match against the rule. If both User and Group are "Unrestricted" then all users match the rule, regardless of their user name. | john|simon | Text | R,W |
Hosts | A specification of a host name or IP address. The host name is the name of a user's machine, including both the machine name and the domain name. A wildcard prefix is assumed, so that for example ".widget.com" matches with "user.widget.com" and "server.widget.com" but not with "alien.ufo.com" An IP address is specified in dotted decimal notation with a trailing wildcard assumed. So "65.43.21." will match against "65.43.21.1" but not against "65.43.210.1". If several hosts are mentioned within a single rule, the list of hosts must be separated by vertical bars "|".
| .widget.com|65.43.21. | Text | R,W |
Allow Access | If "Allow Access" is No, it says that any users which match the current rule are NOT allowed access. Subsequent rules within the table may override this setting. The final rule that matches is considered the last word on whether a user can access the resource. | Yes | Integer | R,W |
Continue If Rule Matches | If this setting is No, it says that if a user matches this current rule, then
don't continue considering any further rules in the table when determining
that user's access rights to the resource. Rules are always scanned from top to bottom, so re-ordering the rules will affect the behaviour of the access control. | No | Integer | R,W |
Protocol Method Sub-Method Permissions
ACDPRWXZExplanation HTTP DELETE D The HTTP DELETE Command HTTP GET EXEC X The #Exec Web Macro HTTP GET DOCUMENT R Read File HTTP GET INCLUDE R Any Web Macro, other than #Exec HTTP GET INDEX R Directory Index Listing HTTP GET SCRIPT X CGI Program HTTP GET API X API, Rexx or Perl Program HTTP HEAD EXEC X The #Exec Web Macro HTTP HEAD DOCUMENT R Read File HTTP HEAD INCLUDE R Any Web Macro, other than #Exec HTTP HEAD INDEX R Directory Index Listing HTTP HEAD SCRIPT X CGI Program HTTP HEAD API X API, Rexx or Perl Program HTTP POST EXEC X The #Exec Web Macro HTTP POST DOCUMENT R Read File HTTP POST INCLUDE R Any Web Macro, other than #Exec HTTP POST INDEX R Directory Index Listing HTTP POST SCRIPT X CGI Program HTTP POST API X API, Rexx or Perl Program HTTP PUT DOCUMENT CW Store a New Document HTTP PUT FORM Z Append to a Form's CSV File FTP READ CWD R Change Directory FTP READ RETR R Retrieve a File FTP READ LIST R Full Directory Listing FTP READ NLST R Simple Directory Listing FTP READ SIZE R File Size FTP READ MDTM R File Modification Date and Time FTP WRITE STOR CW Store a New File FTP WRITE STOU CW Store a New File with a Unique Name FTP WRITE APPE W Append to an Existing File FTP WRITE RNFR W Rename a File FTP WRITE DELE D Delete a File (not a Directory) FTP WRITE MKD C Create a New Directory FTP WRITE RMD D Delete a Directory FTP UPLOAD STOR CW Store a New File FTP UPLOAD STOU CW Store a New File with a Unique Name FTP UPLOAD APPE W Append to an Existing File FTP MESSAGE INCLUDE R Any Web Macro, other than #Exec, within a Message File FTP MESSAGE DOCUMENT R Read a Message File FTP MESSAGE EXEC X The #Exec Web Macro within a Message File FTP MESSAGE API X API, Rexx or Perl Program within a Message File