AOLserver's access control system allows you to define users and groups of users, and assign permission records to individual pages, MiniWebs, or entire page hierarchies. AOLserver users are distinct from operating system users. A permission record lets you allow or disallow lists of users, lists of groups, and lists of hosts for a method and URL combination.
AOLserver requires one special user, nsadmin
. This user is always allowed access to any URL on an AOLserver. The nsadmin
user is similar to the Unix root
user. The nsadmin
user cannot be assigned to a group, and the nsadmin
user name cannot be changed.
AOLserver is configured by default with the nsadmin
user, a system
group, a public
group, and a users
group. To allow for shared responsibility of common administration functions, members of the system
group are allowed access to many administration functions by default, such as adding new users or setting permission records. However, unlike the nsadmin
user, which is a special name assumed to exist by the AOLserver, the system
group is preset and implemented with ordinary permission records.
The public
group is the default group for new users. You can change the permissions given to the system
, public
, and users
groups and assign users to them by following the procedures described in this chapter. Note that you cannot delete the system
group or the public
group.
When you access the AOLserver as nsadmin
or as a member of the system
group, remember that your browser will cache your password. As long as you remain in the browser session, privileged operations (such as changing user permissions or passwords) can be performed. As a security measure, you may want to exit out of your browser if you leave your workstation unattended so that no one else can perform unauthorized operations.
Note that the entire access control maintenance system is implemented in Tcl. If you are interested, follow the Tcl Script Maintenance link on the AOLserver Administration page, and then follow the nsperm link on the Tcl Script Maintenance page to see the scripts.
The AOLserver access control system is provided on a per-virtual server basis by loading the nsperm module. In a typical configuration, each virtual server will load the nsperm module and maintain separate permission files. See "Database Drivers and Pools" section for information on loading the nsperm module.
It is possible for some or all virtual servers to load alternative permission control modules which use a custom access control system. This chapter only describes the nsperm module access control system. If the permissions module is not loaded, the Access Control link will not appear on the AOLserver Administration page, and you will not have access to any of the features described in this chapter.
If the permissions module is not loaded, permissions will be defined as follows:
nsadmin
user will have PUT, MKDIR, and DELETE permission on URLs.