Permissions
Permission records indicate the allowed access for a particular URL and method (GET, POST, and PUT). GET access to an URL allows the user to display the page or, in the case of a Tcl script, execute the script. PUT access allows the user to write to the page or delete the page or script. POST access allows the user to submit information in a form.
Default Permissions
By default, GET access is given to all users on all pages. PUT and POST access are given only to the nsadmin
user by default. The nsadmin
user can always connect from the host where AOLserver is running, but you can deny permissions to nsadmin
users from other hosts. See the "Set Valid Hosts for nsadmin" section for more information.
Permissions applied to pages do not automatically apply to any images to which those pages link. Rather, the images inherit the permissions of the parent directory or MiniWeb.
Permissions Inheritance
To simplify the permission structure and reduce the number of permission records you need to maintain, you can specify that a permission record is inherited by more specific URLs. For example, a permission record for /a/b
would be inherited by /a/b/c.htm
if there is no specific permission record for /a/b/c.htm
.
Method Aliases
To further simplify administration of permissions, the AOLserver maintains a list of method aliases for the default GET, PUT, and POST methods. For example, if a user has permission to put, they automatically have permission to delete. You can add or delete method aliases in the list. See the "Methods" section for more information.
Setting Permissions
Once you have defined authorized AOLserver users and groups, you can maintain AOLserver permission records. There are two ways to set permissions for a URL:
Since the permissions records are maintained in text files in the permissions directory, it is possible to edit them directly, but it is not recommended. If you do edit the permission records directly rather than going through the AOLserver administration pages, never edit the permissions files while AOLserver is running. If you then try to specify permissions through the AOLserver administration pages, and the permissions are out of sync because the files have been manually edited since AOLserver was started, AOLserver will shut down as a security measure.
This section describes how to set a permission record from an individual page or MiniWeb, and how to set permission records directly from the Access Control page. It also describes how to maintain permission records and the list of method aliases.
Set a Permission Record on a Page or MiniWeb
To set a permission record on an individual page or MiniWeb, open the page or MiniWeb in AOLpress and choose the Administer Page Permissions (or Administer MiniWeb Permissions) from the Tools menu.
Set a Page or MiniWeb permission record:
- In AOLpress, open the MiniWeb on the server where you wish to set the permission record.
- Choose the Tools Administer MiniWeb Permissions menu item. A page containing a form for setting the permission record appears.
- Select the method you would like for the permission record. Choose GET to restrict users from opening the page or the pages within a MiniWeb using a browser. The PUT method restricts users from editing or deleting the page or MiniWeb. The POST method restricts users from submitting information in a form.
- If you are currently authorized as the
nsadmin
user, a selection box on the page allows you to choose the owner of the page or MiniWeb. Otherwise, the owner will be displayed on the form, and you will not be able to change it.
- If you want this permission record to be inherited by all of the URLs below the page or MiniWeb, select the Exact URL match is NOT required option. For example, if you specified a MiniWeb or a directory, and you want this permission record to apply to all the pages in the MiniWeb or directory, you would select this option.
- However, if you want this permission record to apply only to the exact URL specified, select the Exact URL match IS required option. For example, the URL
/foo/a
would not inherit the permissions specified for /foo
.
- Specify the lists of Users or Groups to which you want to allow or deny access. First you must decide which users are to be allowed or denied access to the page or MiniWeb. There are several possibilities:
- Ideally, users are assigned to groups such that all users in a group will have the same permissions. In this case, you can just choose Allow Groups and select the groups of users who are to be allowed access. Users in all other groups will be denied. Leave the default setting of No Restrictions on Users as it is.
- Or, you can choose Deny Groups and select the groups of users who are to be denied access. Users in all other groups will be allowed. Leave the default setting of No Restrictions on Users as it is.
- If you want to allow a set of users who do not comprise a group or groups, choose Allow Users and select only the users you want allowed in the users selection box. All other users will be denied. Leave the default setting of No Restrictions on Groups as it is.
- If you want to deny a set of users who do not comprise a group or groups, choose Deny Users and select only the users you want denied in the users selection box. All other users will be allowed. Leave the default setting of No Restrictions on Groups as it is.
- If you want to allow access to all the users in a group or groups except for a few, choose Allow Groups and select the groups. Then choose Deny Users and select the users in those groups who are to be denied.
- If you want to deny access to all the users in a group or groups except for a few, you must choose Deny Users and select all the users who are to be denied.You cannot choose Allow Users to list the allowed users and then choose Deny Groups to list the groups, because every user in a denied group will be denied, regardless of whether they are listed as an allowed user.
- To give all users access, select No Restrictions on Users and No Restrictions on Groups. (These are the default settings.)
- To deny all users access, choose Allow Users and select no users. Leave the default setting of No Restrictions on Groups as it is.
- (If AOLserver was configured for a large number of users, there will be fields instead of selection boxes for the Users and Groups. In this case, you must type user names or group names, separated by commas, in these fields rather than selecting the users or groups from the selection box. Refer to the
Model
entry in the configuration file on page 83 for more information.)
- To allow users only on specific hosts, list the hosts in the Hosts to allow field, separated by commas. Users from all other hosts will be denied. To deny users on specific hosts, list the hosts in the Hosts to deny field. Users from all other hosts will be allowed.
- You can specify a host using either its host name or its IP address. You can use the asterisk (*), question mark (?) and bracket ([]) wildcard characters when specifying a host name. In the IP address, you can specify the number of significant bits to match against. For example, 199.221.53.18/24 means that only the 24 most significant bits (199.221.53) are matched.
- Note that a user will be allowed access to the page or MiniWeb only if they are on an allowed host and they are an allowed user based on the criteria from the previous steps.
- Click Set Permissions to apply the new permissions record.
Set Permission Records Directly
Setting permission records for individual pages or MiniWebs as described above is the simplest method, but you may want to set the permission records directly. For example, you may want to set permissions for a Tcl script, or for a directory that is not a MiniWeb. Normally, only nsadmin
and users in the system
group can set permission records directly.
Set a permission record directly:
- From a Page window in AOLpress choose the Tools Administer Server menu item. Choose your server from the server selection dialog that appears. If it is not listed, type
http://
followed by the name of the host where the server is running. A page containing links to several server functions appears. If you are using another browser, go to the /NS/Admin page on your server.
- Follow the Access Control link on the AOLserver administration page.
- In the Permissions section, follow the Add a new permission record link
.
- Select the method you would like in the permission record. Choose GET to restrict users from opening the page or the pages within a MiniWeb using a browser. The PUT method restricts users from editing or deleting the URL. The POST method restricts users from submitting information in a form.
- A selection box on the page allows you to choose the owner of the URL.
- If you want this permission record to be inherited by all of the URLs below the page or MiniWeb, select the Exact URL match is NOT required option. For example, if you specified a directory, and you want this permission record to apply to all the pages in the directory, you would select this option.
- However, if you want this permission record to apply only the exact URL specified, select the Exact URL match IS required option. For example, the URL
/foo/a
would not inherit the permissions specified for /foo
.
- Specify the lists of Users or Groups to which you want to allow or deny access. First you must decide which users are to be allowed or denied access to the URL. There are several possibilities:
- Ideally, users are assigned to groups such that all users in a group will have the same permissions. In this case, you can just choose Allow Groups and select the groups of users who are to be allowed access. Users in all other groups will be denied. Leave the default setting of No Restrictions on Users as it is.
- Or, you can choose Deny Groups and select the groups of users who are to be denied access. Users in all other groups will be allowed. Leave the default setting of No Restrictions on Users as it is.
- If you want to allow a set of users who do not comprise a group or groups, choose Allow Users and select only the users you want allowed in the users selection box. All other users will be denied. Leave the default setting of No Restrictions on Groups as it is.
- If you want to deny a set of users who do not comprise a group or groups, choose Deny Users and select only the users you want denied in the users selection box. All other users will be allowed. Leave the default setting of No Restrictions on Groups as it is.
- If you want to allow access to all the users in a group or groups except for a few, choose Allow Groups and select the groups. Then choose Deny Users and select the users in those groups who are to be denied.
- If you want to deny access to all the users in a group or groups except for a few, you must choose Deny Users and select all the users who are to be denied.You cannot choose Allow Users to list the allowed users and then choose Deny Groups to list the groups, because every user in a denied group will be denied, regardless of whether they are listed as an allowed user.
- To give all users access, select No Restrictions on Users and No Restrictions on Groups. (These are the default settings.)
- To deny all users access, choose Allow Users and select no users. Leave the default setting of No Restrictions on Groups as it is.
- (If AOLserver was configured for a large number of users, there will be fields instead of selection boxes for the Users and Groups. In this case, you must type user names or group names, separated by commas, in these fields rather than selecting the users or groups from the selection box. Refer to the Model entry in the configuration file on page 83 for more information.)
- To allow users only on specific hosts, list the hosts in the Hosts to allow field, separated by commas. Users from all other hosts will be denied. To deny users on specific hosts, list the hosts in the Hosts to deny field. Users from all other hosts will be allowed.
- You can specify a host using either its host name or its IP address. You can use the asterisk (*), question mark (?) and bracket ([]) wildcard characters when specifying a host name. In the IP address, you can specify the number of significant bits to match against. For example, 199.221.53.18/24 means that only the 24 most significant bits (199.221.53) are matched.
- Note that a user will be allowed access to the page or MiniWeb only if they are on an allowed host and they are an allowed user based on the criteria from the previous step.
- Click Set Permissions to apply the new permissions record.
Delete a Permission Record
Choose the Tools Administer Server menu item and follow the Access Control link. To delete a permission record, follow the Delete a permission record link on the Access Control page. By default, only the nsadmin
user or others users in the system
group may delete a permission record.
Delete a permission record:
- From a Page window in AOLpress, choose the Tools Administer Server menu item. Choose your server from the server selection dialog that appears. If it is not listed, type in
http://
followed by the name of the host where the server is running. A page containing links to several server functions appears.
- Follow the Access Control link on the AOLserver administration page.
- In the Permissions section, follow the Delete a permission record link.
- Select the permission record you want to delete based on the method and URL and then click Show. An update form for the permission record appears.
- Click Delete to delete the permission record.
Show and Update Permissions
There are two ways to show permission records from the Access Control page. (You can get to the Access Control page by choosing the Tools Administer Server menu item and then following the Access Control link.)
- Follow the Show a permission record link in the Permissions section. A Show Permission Record page appears, and you can select the permission record you want to look at based on the method and URL. Then click Show.
- Follow the Show all permission records link in the Permissions section. A page appears containing links to all of the AOLserver permission records. Follow the link to the permission record you want to look at.
Once you have selected the permission record you want in either of the above ways, an Update Permission page appears containing the permission record. You can change any of the information in the permission record and click Set Permission. Or, you can delete the permission record by clicking Delete.
Set Valid Hosts for nsadmin
The nsadmin
user may want to restrict nsadmin
privileges to nsadmin
users on specific hosts. That way, an nsadmin
user on one host will not have nsadmin
privileges on all hosts. The nsadmin
user can always connect from the host where AOLserver is running.
Set Hosts for nsadmin
- From a Page window in AOLpress, choose the Tools Administer Server menu item. Choose your server from the server selection dialog that appears. If it is not listed, type in
http://
followed by the name of the host where the server is running. A page containing links to several server functions appears. If you are using another browser, go to the /NS/Admin page on your server.
- Follow the Access Control link on the AOLserver administration page.
- In the Permissions section, follow the Set permissions for nsadmin link.
- To allow the
nsadmin
user only on specific hosts, list the hosts in the Allow Hosts field, separated by commas. The nsadmin
users from all other hosts will be denied. To deny the nsadmin user on specific hosts, list the hosts in the Deny Hosts field. The nsadmin
users from all other hosts will be allowed.
- You can specify a host using either its host name or its IP address. You can use the asterisk (*), question mark (?) and bracket ([]) wildcard characters when specifying a host name. In the IP address, you can specify the number of significant bits to match against. For example, 199.221.53.18/24 means that only the 24 most significant bits are matched. In this case, it would be like specifying 199.221.53.*.
- Click Update to set the restrictions.