Help - Access Control Settings

Introduction

This is a list of security rules defining which users from which hosts are allowed access using the specified methods to the current resource.

If no rules are provided, then by default all access is allowed, subject to any user authentication specified.

Rules are read top-down, so ordering is important. A user is only allowed access if ALL rules that match the current request allow access. When a rule that matches the request has "Continue If Rule Matches" set to "No", then no further rules are consulted, and the decision taken so far is final.

User authentication is only performed if at least one rule has a User or Group specification. The User Database Realm in which users are authenticated is shown near the top of the page, and can be set by selecting "Authentication" within the Resource/Template Editor or Wizard.

Config:/Security/Resource/*/Access/
Config:/Security/Template/*/Access/

SettingExplanationDefault /
Example
Data
Type
Access
R,W,A,D
Protocol A specification of a protocol to protect. Internet protocols include HTTP, FTP, Gopher, NNTP, POP3, and SMTP.
Multiple specifications can be separated by the '|' character.
HTTP TextR,W
Method A specification of a Method within a Protocol to protect. A complete table is provided at the end of this page.

For example, common HTTP methods are:

  • GET - document retrieval
  • HEAD - status header query
  • POST - form submittal
  • PUT - document creation
The FTP methods are:
  • READ - file retrieval
  • UPLOAD - file uploads (incoming directory)
  • WRITE - deletion and directory manipulation
  • MESSAGE - message file display

Multiple specifications can be separated by the '|' character.
GET TextR,W
SubMethod A specification of a Sub-Method within a Protocol Method to protect. A complete table is provided at the end of this page.
The HTTP GET method has sub-methods of:
  • EXEC - executes a program on the server from within an HTML document
  • DOCUMENT - returns a document
  • INCLUDE - allows server-side include directives, but not EXEC unless explicitly mentioned
  • INDEX - allows on-the-fly directory index generation
  • SCRIPT - allows execution of CGI scripts
  • API - allows execution of API scripts
and the FTP sub-methods are based on the command set:
  • RETR - file retrieval
  • STOR - file upload
  • STOU - unique file upload
  • APPE - append to file
  • DELE - delete file
  • LIST - directory listing
  • MKD - create directory
  • RMD - delete directory
  • SIZE - file size
  • MDTM - file modification time
  • INCLUDE - recursive message file inclusion
  • DOCUMENT - message file inclusion
  • EXEC - command execution within message file

Multiple specifications can be separated by the '|' character.
EXEC TextR,W
Groups A specification of a group name contained within the authentication realm. A group name may not contain wildcard characters.

If several groups are mentioned within a single rule, the list of names must be separated by vertical bars "|".

If a user matches the Group specification, but not the User specification, that user does not match against the rule. If both User and Group are "Unrestricted" then all users match the rule, regardless of their user name.

admin TextR,W
Users A specification of a user name contained within the authentication realm.

The user name is the login name of a user, with no wildcards allowed. A special name "valid-user" matches all user names in the realm.

If several users are mentioned within a single rule, the list of names must be separated by vertical bars "|".

If a user matches the User specification, but not the Group specification, that user does not match against the rule. If both User and Group are "Unrestricted" then all users match the rule, regardless of their user name.

john|simon TextR,W
Hosts A specification of a host name or IP address.

The host name is the name of a user's machine, including both the machine name and the domain name. A wildcard prefix is assumed, so that for example ".widget.com" matches with "user.widget.com" and "server.widget.com" but not with "alien.ufo.com"

An IP address is specified in dotted decimal notation with a trailing wildcard assumed. So "65.43.21." will match against "65.43.21.1" but not against "65.43.210.1".

If several hosts are mentioned within a single rule, the list of hosts must be separated by vertical bars "|".

.widget.com|65.43.21. TextR,W
Allow Access If "Allow Access" is No, it says that any users which match the current rule are NOT allowed access. Subsequent rules within the table may override this setting. The final rule that matches is considered the last word on whether a user can access the resource. Yes IntegerR,W
Continue If Rule Matches If this setting is No, it says that if a user matches this current rule, then don't continue considering any further rules in the table when determining that user's access rights to the resource.
Rules are always scanned from top to bottom, so re-ordering the rules will affect the behaviour of the access control.
No IntegerR,W


Access Protocols, Methods and Sub-Methods

ProtocolMethodSub-MethodPermissions
ACDPRWXZ
Explanation
HTTP DELETE D The HTTP DELETE Command
HTTP GET EXEC X The #Exec Web Macro
HTTP GET DOCUMENT R Read File
HTTP GET INCLUDE R Any Web Macro, other than #Exec
HTTP GET INDEX R Directory Index Listing
HTTP GET SCRIPT X CGI Program
HTTP GET API X API, Rexx or Perl Program
HTTP HEAD EXEC X The #Exec Web Macro
HTTP HEAD DOCUMENT R Read File
HTTP HEAD INCLUDE R Any Web Macro, other than #Exec
HTTP HEAD INDEX R Directory Index Listing
HTTP HEAD SCRIPT X CGI Program
HTTP HEAD API X API, Rexx or Perl Program
HTTP POST EXEC X The #Exec Web Macro
HTTP POST DOCUMENT R Read File
HTTP POST INCLUDE R Any Web Macro, other than #Exec
HTTP POST INDEX R Directory Index Listing
HTTP POST SCRIPT X CGI Program
HTTP POST API X API, Rexx or Perl Program
HTTP PUT DOCUMENT CW Store a New Document
HTTP PUT FORM Z Append to a Form's CSV File
FTP READ CWD R Change Directory
FTP READ RETR R Retrieve a File
FTP READ LIST R Full Directory Listing
FTP READ NLST R Simple Directory Listing
FTP READ SIZE R File Size
FTP READ MDTM R File Modification Date and Time
FTP WRITE STOR CW Store a New File
FTP WRITE STOU CW Store a New File with a Unique Name
FTP WRITE APPE W Append to an Existing File
FTP WRITE RNFR W Rename a File
FTP WRITE DELE D Delete a File (not a Directory)
FTP WRITE MKD C Create a New Directory
FTP WRITE RMD D Delete a Directory
FTP UPLOAD STOR CW Store a New File
FTP UPLOAD STOU CW Store a New File with a Unique Name
FTP UPLOAD APPE W Append to an Existing File
FTP MESSAGE INCLUDE R Any Web Macro, other than #Exec, within a Message File
FTP MESSAGE DOCUMENT R Read a Message File
FTP MESSAGE EXEC X The #Exec Web Macro within a Message File
FTP MESSAGE API X API, Rexx or Perl Program within a Message File