Previous     Contents     Index          Next     
iPlanet Partner Agent for ECXpert Server Site Administrator’s Handbook



Chapter 5   (Optional) Using the Server Access Controls

This chapter describes how to use the Access Control pages to control access to the Partner Agent Server and the Partner Agent Server administration system. Using Access Controls, you can control the number of simultaneous users that are allowed to connect to the Server, restrict access by user type, user account and host address, lock users into specific directories, define alternate password files for users, and specify file system and upload restrictions.

This chapter covers the main pages for viewing and changing the Access Controls:

Admin System Host Access

The Admin System Host Access page allows you to control access to the Partner Agent Server administration system. Access is controlled through the use of access rules. The rules define which computer host names or IP addresses that are either allowed or denied to use the administration system. You can specify any number of allow and deny rules, and you can use UNIX-style wildcards such as * to restrict access from subnets.

The Admin System Host Access page has a section for adding new rules and a list of any current access rules.

Figure 5-1    Access pages, Admin System Host Access screen

Reordering Rules

When a browser attempts to connect to the Partner Agent Server administration system, the administration Server looks up the address and host name that the browser is connecting from, and applies the access rules to see if that browser should be allowed to connect. The default setting is for allow rules to be applied first, then for deny rules to be applied. You can change the order that rules are applied.

Note

Be careful not to lock your own host out of the administration system. If you change the order of rules to Allow then Deny, when there are no rules, you are locked out. If you do get locked out, you must edit the file $NSBASE/NS-apps/paserver/share/.htaccess.


To change the order that rules are applied:

  1. Select the order from the Rule Order drop-down list.


  2. Click Apply.


Adding a New Admin System Access Rule Entry

To add a new administration access rule:

  1. Select if the rule is a allow or deny rule from the drop-down list.


  2. Enter the IP address or host name to which the rule is to apply.


  3. Click Add Entry.


    4. The rule is added to the list of Current Admin System Host Access Entries, with a status of Disabled.

Enabling or Disabling an Admin System Access Rule Entry

To enable or disable an administration access rule, click Enable or Disable, next to the desired rule.

Editing an Admin System Access Rule Entry

To edit an administration access rule from the list of Current Administration Access Rules:

  1. In the Action column next to the desired class definition, click Edit.


  2. Make the desired changes in the fields and drop-down lists in the Edit Admin System Host Access Entry section, above the list of Current Admin System Host Access Entries.


  3. Click Apply.


    4. Your changes are reflected in the list of Current Admin System Host Access Entries.

Deleting an Admin System Access Rule Entry

To delete an administration access rule, in the Action column next to the desired rule, click Delete.

Example of Admin System Access Rule Entry

You can use UNIX-style wildcards such as * to manage access from subnets. For example, the following two rules allow access to the administration system only from hosts in the mydomain.com domain:

Figure 5-2    Example of admin system access rule entries

Partner Agent Server Host Access

The Partner Agent Server Host Access page allows you to manage access to the Partner Agent Server . This is useful for restricting user account access to known hosts, thereby reducing the potential for hacker access from outside computers. Access is controlled through the use of access rules, which define computer host names or IP addresses that are either allowed or denied access to the administration system. You can specify any number of allow and deny rules, and you can use UNIX-style wildcards such as * to restrict access from subnets.

Figure 5-3    Access pages, Partner Agent Host Access screen

Reordering Partner Agent Server Host Access Rule Entries

When a client attempts to connect to the Partner Agent Server, the Server looks up the user class and address/host name that the client is connecting from, and applies the access rules to see if that client should be allowed to connect. The default setting is for allow rules to be applied first, then for deny rules to be applied. You can change the order that rules are applied.

To change the order that rules are applied:

  1. Select the order from the Rule Order drop-down list.


  2. Click Apply.


Adding a New Partner Agent Server Host Access Rule Entry

Server access rules allow you to limit access to the Partner Agent Server.

To add a new access rule:

  1. Select if the rule is an allow or a deny rule from the Rule drop-down list.


  2. Select the user account from the User list. Selecting account * applies the rule to all user accounts.


  3. Enter the IP address or host name to which the rule is to apply.


  4. Click Add Entry.


    5. The rule is added to the list of Current Partner Agent Server Host Access Entries, with a status of Disabled.

Enabling or Disabling a Partner Agent Server Host Access Rule

To enable or disable a Server access rule, click Enable or Disable, next to the desired rule.

Editing a Partner Agent Server Host Access Rule

To edit an access rule from the list of Server Host Access Rules:

  1. In the Action column next to the desired class definition, click Edit.


  2. Make the desired changes in the fields and drop-down lists in the Edit Server Host Access Entry section above the list of Server Host Access Entries.


  3. Click Apply.


    4. Your changes are reflected in the list of Current Server Host Access Entries.

Deleting a Partner Agent Server Host Access Rule

To delete an access rule, in the Action column next to the desired rule, click Delete.

Example of Partner Agent Server Host Access Rules

You can use UNIX-style wildcards such as * to manage access from subnets. For example, the following two rules only allow access from hosts in the mydomain.com domain:

Figure 5-4    Example of Partner Agent Server host access entries

A user account or host address can appear in several access restriction rules. This allows you to create very secure access rules, by denying access to all hosts (*), and then adding specific allow rules for the hosts that you want to grant access. For example, denying access to user class * from address 198.178.123.* would mean that nobody is allowed to connect to the Partner Agent Server from the subnet 198.178.123.

Mixing allow and deny rules can be very powerful. For example, deny access to user class * from address *, then allow access to account * from address 198.160.123.* means that only hosts from the 198.160.123 subnet can access your Partner Agent Server.

Password Files

Partner Agent Server allows you to specify and create additional or alternate password files to the operating system's password file (typically /etc/passwd).

The default setting is for Partner Agent Server to use the system's default password file to control user logins.



Note

You can remove or disable the system's default password file and have the Server operate entirely from an alternate password file or from a Virtual Users password file. Also, if all password file entries are removed or disabled, the system password file is used.


The Password Files page is where you add, enable, disable, or remove the password file entries that Partner Agent Server examines. You can also access the pages for setting up a Virtual User password file and virtual permissions.

Virtual Users

Partner Agent Server allows you to define Virtual Users. Virtual Users are listed in a separate password file of type virtual, and are virtually locked into their home directories with a chroot-style operation.

The Virtual Users functionality is useful if you are using Partner Agent Server to implement your own file transfer site, where you dynamically add new user accounts to Partner Agent Server and do not want to create real system user accounts for those users. Your application can manage its own password file, which is identical in format to the UNIX system's /etc/passwd file, and Partner Agent Server allows the users specified in your virtual password file to make connections. Users specified in your virtual password files are virtually chrooted into their home directories.

Figure 5-5    Access pages, Password Files screen

Adding a New Password File Entry

To add a new password file entry:

  1. Select whether the users in the password file are Real or Virtual. Select from the User Type drop-down list.


  2. In the next drop-down list, select either the system's password file (typically
    /etc/passwd) or Specify, to indicate a password file other than your system's default password file.


  3. If you chose Specify in the previous field, enter the absolute pathname to a new password file. If you do not enter an absolute pathname, such as /etc/alt.passwd, then Partner Agent Server looks for your new password file in the directory $NSBASE/NS-apps/paserver/etc. If you specify a file that does not exist, Partner Agent Server creates the file.


  4. Click Add File.


    5. The entry is added to the list of Current Password File Entries, with a status of Disabled. If you specified a virtual password file, two buttons display next to the entry, Edit File and Edit Perms. These buttons are used to access the pages to edit the password file and its permissions.

Enabling or Disabling a Password File Entry

To enable or disable a password file entry, click Enable or Disable, next to the desired entry.

Editing a Password File Entry

To edit an password entry from the list of Password File Entries:

  1. In the Action column next to the desired password file entry, click Edit.


  2. Make the desired changes in the fields and drop-down lists in the Edit Password File Entry section above the list of Current Password File Entries.


  3. Click Apply.


    4. Your changes are reflected in the list of Current Password File Entries.

Deleting a Password File Entry

To delete a password entry, in the Action column next to the desired entry, click Delete.

Editing a Password File

When you specify an additional password file in the Password Files page, you can create or edit entries to the file in the Editing Password File page.

To access the Editing Password File page, click Edit File next to the desired entry in the list of Current Password File Entries.

Figure 5-6    Access pages, Password Files, Editing Password File screen

At the top of the page is the name of the selected Password file. Below that is a section for adding entries. At the bottom of the page is a list of any Current Password File Entries.

Adding a New Password File Entry

To add a new password entry:

  1. Enter a user name in the Login Name field.


  2. Enter a password, in the Password field.


  3. Retype the password in the Retype Password field.


  4. Enter a user ID in the Uid field.


  5. Enter a group ID in the adjacent Gid field.


  6. Enter the user's full name in the Full Name field.


  7. Enter the user's home directory in the Home Directory field.


  8. Enter the user's shell pathname in the Shell field.




    9. Note

    This field is optional and is not used by Partner Agent Server


  9. Click Add User.


    10. The entry is added to the list of Current Password File Entries with a status of Disabled.

Enabling or Disabling a Password File Entry

To enable or disable a Password File Entry, click Enable or Disable next to the desired entry.

Editing a Password File Entry

To edit a password entry from the list of Password File Entries:

  1. In the Action column next to the desired password file entry, click Edit.


    2. Make the desired changes in the fields and drop-down lists in the Edit Password File Entry section above the list of Current Password File Entries.

    Click Apply.

Your changes are reflected in the list of Current Password File Entries.

Deleting a Password File Entry

To delete a password entry, in the Action column next to the desired entry, click Delete.

Editing Permissions for Virtual Users

You can control the visibility and access to specified files in the virtual users environment. Files and directories can be allowed or denied. Allow and Deny rules provide a flexible and versatile set of access controls to virtual content.

When you specify an additional password file of type virtual in the Password Files page, you can control permissions for files and directories in the Editing Virtual Permissions page.

To access the Editing Virtual Permissions page, click Edit Perms next to the desired entry in the list of Current Password File Entries.

Figure 5-7    Access pages, Password Files, Editing Virtual Permissions screen

Virtual permission entries are allow and deny rules, rule order, shared directories, and the rule conflict policy.

Rules

You determine which files and directories can be accessed or not, with Allow or Deny rules. A rule consists of rule type (allow or deny), user class, and the path to which access is allowed or denied.

Rule Order and Conflict Policy

Rule order can be changed at any time, with a Virtual Permission entry. Any allow or deny rules that follow the new order entry, use that order to determine access. If a conflict in rule matching causes an allow and a deny rule to become active, the Conflict Policy determines whether to allow or deny.

Virtual Shared Directories

Virtual Users are limited to browsing only the parts of the file system rooted in their home directory unless a shared directory is specified for that user. A shared directory may be located at any point in the real file system and is defined as a pair of values, the file system mount point and the share name. The share name appears as a directory under the user's home directory. For example to share the directory /usr/local with the name public, when the virtual user logs in to Partner Agent Server, there is a directory called public in the home directory, which refers to the directory /usr/local. The virtual user has access to the content of /usr/local and below, but not anything higher than /usr/local in the real file system.

Adding a Virtual Permission Entry

To add a virtual permission entry:

  1. Select a type of permission entry from the Permission Type drop-down list.


  2. Select a user class from the User Class drop-down list.


  3. For Allow/Deny permissions only, select the rule order from the Rule Order drop-down list.


  4. For Allow or Deny rules or for Shared Directories only, enter a path name for the file or directory in the Path field.


  5. For Shared Directories only, enter the name to share the directory as in the Shared As field. This is the name that appears in the virtual user's home directory.


  6. Click Add Entry.


    7. The entry is added to the list of Current Virtual Permission Entries with a status of Disabled.

Enabling or Disabling a Virtual Permission Entry

To enable or disable a Virtual Permission Entry, click Enable or Disable next to the desired entry.

Moving Virtual Permission Entries

Once an entry has been added to the list of Current Virtual Permission Entries, it can be moved up or down in the list using the arrows to the left of the entry. For example you may want to move an allow or deny entry above or below a rule order entry.

  • To move an entry down, click on the down pointing arrow, to the left of the entry.


  • To move an entry up, click on the up pointing arrow, to the left of the entry.

    Note

    If an entry is at the top of the list, it has no up arrow and if it is at the bottom of the list if it has no down arrow.




Editing a Virtual Permission Entry

To edit a virtual permission entry from the list of Virtual Permission Entries:

  1. In the Action column next to the desired Virtual Permission entry, click Edit.


  2. Make the desired changes in the fields and drop-down lists in the Edit Virtual Permission Entry section above the list of Current Virtual Permission Entries.


  3. Click Apply.


    4. Your changes are reflected in the list of Current Virtual Permission Entries.

Deleting a Virtual Permission Entry

To delete a virtual permission entry, in the Action column next to the desired entry, click Delete.

Changing the Conflict Policy

To change the conflict policy:

  1. Select a policy from the Conflict Policy drop-down list.


  2. Click Change Policy.


Example of Virtual Permission Entries

To allow access to everything but hide the msg.welcome file and any .message files, you would define the following rules:

Figure 5-8    Example of virtual permission entries (Part 1)

To then deny access to everything in the beep directory except a file called README.txt, you specify a rule to deny access to everything in beep. Then specify a rule that allows access to
/beep/README.txt. Since the rule order is still the default, Allow then Deny, the deny rule overrides the allow rule. Therefore you must first specify a new rule order. The Allow * rule, (from the previous example), allows access to any file and the Deny /beep/* denies access to everything in /beep. This results in a conflict. If the conflict policy is to Allow access, then the Allow * rule takes precedence. To get the desired result, make sure the conflict policy is to Deny access.

The updated list of Current Virtual Permission Entries looks like:

Figure 5-9    Example of virtual permission entries (Part 2)



Note

Virtual Permissions apply to real and shared directories.


Master Virtual User

A very powerful way to use the Virtual User functionality is to create a real user in your system's password file. We will call this user master. Underneath the master user's account you create a directory for each of your virtual users. Create a virtual password file with an /etc/passwd style entry for each of these virtual users. List their user ID and group ID as being the same as your master user's. This way, all files that your virtual users upload are owned by the master. Yet, each virtual user is virtually chrooted into their own account.

To make this even more secure, use the Password Files controls to disable use of the system password file. This way, only your virtual users are able to use the Partner Agent Server Server. For increased security, you can define the master user's shell to be /etc/noshell, which effectively stops this user from logging into the system with telnet.

Virtual Groups

Every user on a UNIX system has a user ID and a group ID. UNIX systems use these to set process and file permissions. The Virtual Groups page allows you to specify certain UNIX groups as virtual groups. Any user who is a member of a virtual group becomes a Virtual User whether or not they are members of a Virtual Password file. This is a quick way to make any user virtual based solely on their group membership.

Figure 5-10    Access pages, Virtual Groups screen

The Virtual Groups page contains a section to add new virtual group entries and a list of any current virtual group entries.

Adding a New Virtual Group Entry

To add a new Virtual Group entry:

  1. Select the Group you want to add from the Groups drop-down list.


  2. Click Add Group.


    3. The entry is added to the list of Current Virtual Group Entries, with a status of Enabled.

Disabling or Enabling a Virtual Group Entry

To disable or enable a virtual group entry, click Disable or Enable, next to the desired entry.

Deleting a Virtual Group Entry

To delete a virtual group entry, in the Action column next to the desired entry, click Delete.

Limiting User Access

Limit rules allow you to limit the number of simultaneous users that Partner Agent FTP Server allows to be connected at one time. Partner Agent Server allows you to define limits on a per user class basis. You can also limit access for different days of the week and even for different times during the day.



Note

If you do not specify a limit rule for a class, Partner Agent Server assumes that you do not want to limit the maximum number of simultaneous FTP connections of users of that class. You are limited only by the capacity of your Server hardware and the bandwidth of your network (and by the number of licenses).


The Limit User Access page is where you view, create and edit limit rules. A limit rule consists of the name of the user class, the maximum number of users of that class that are allowed to connect to the FTP Server simultaneously, the days and times when the rule is in effect, and whether the rule is enabled or disabled. This allows you to create rules that are not enabled, but remain in the system so that you can quickly enable them.

Figure 5-11    Access pages, Limit User Access screen

Adding a New User Limit Entry

To add a new user limit entry:

  1. Select a user class from the User Class drop-down list.


  2. Enter the maximum number of simultaneous users for that class in the Max Users field.


  3. Select if you want to add day and time restrictions or no restrictions from the next drop-down list.


  4. If you chose to add day/time restrictions in the prior field, select which days of the week for which you want the rule to apply. To select a day, click on it in the drop-down list. To select more than one day, hold down your control, (Ctrl), key and click on the desired days.


  5. To specify a time range for the rule to be in effect, enter times in the From and To fields. Enter times in the HHMM format, (2-digit hour and 2-digit minute for a 24 hour clock).


  6. Enter a message in the Message displayed when limit enforced field. This message is sent to users who try to connect and are refused during the active time of the limit rule.


  7. Click Add Limit.


    8. The rule is added to the list of Current User Limit Entries, with a status of Disabled.



    Note

    If multiple limit rules are defined for a given time and day period, the first rule in the list of Current User Limit Entries is used.


Enabling or Disabling a User Limit Entry

To enable or disable a user limit entry, click Enable or Disable, next to the desired entry.

Editing a User Limit Entry

To edit a user limit entry from the list of User Limit Entries:

  1. In the Action column next to the desired user limit entry, click Edit.


  2. Make the desired changes in the fields and drop-down lists in the Edit User Limit Entry section above the list of Current User Limit Entries.


  3. Click Apply.


    4. Your changes are reflected in the list of Current User Limit Entries.

Deleting a User Limit Entry

To delete a user limit entry, in the Action column next to the desired entry, click Delete.

Denying User Access

The Deny User Access page lists the names of user accounts, (login names), that are not allowed to login to the Partner Agent Server, Denied Users, and the names of user accounts that are allowed to login, Allowed Users. You can move names back and forth between the Denied Users and the Allowed Users lists. For maximum security, the Denied Users list should include users like root, bin, boot, daemon, news, nobody, operator, sys and uucp.

Figure 5-12    Access pages, Deny User Access screen

Denying Access to Users

To add a user to the list of Denied Users:

  1. Select the user name in the Allowed Users drop-down list.


  2. Click Deny User, below the Allowed Users list.


    3. The user is added to the Denied Users list.

Allowing Access to Users

To add a user to the list of Allowed Users:

  1. Select the user name in the Denied Users drop-down list.


  2. Click Deny User, below the Denied Users list.


    3. The user is added to the Allowed Users list.

Denying Group Access

The Deny Group Access page lists the names of Group accounts that are not allowed to login to the Partner Agent Server, Denied Groups. It also lists the names of Group accounts that are allowed to login, Allowed Groups. You can move names back and forth between the Denied Groups and the Allowed Groups lists.

Figure 5-13    Access pages, Deny Group Access screen

Denying Access to Groups

To add a Group to the list of Denied Groups:

  1. Select the Group name in the Allowed Groups drop-down list.


  2. Click Deny Group, below the Allowed Groups list.


    3. The Group is added to the Denied Groups list.

Allowing Access to Groups

To add a Group to the list of Allowed Groups:

  1. Select the Group name in the Denied Groups drop-down list.


  2. Click Deny Group, below the Denied Groups list.


    3. The Group is added to the Allowed Groups list.

Anonymous Logins

When you install Partner Agent Server, the Install program checks if an FTP account, (user name is ftp), exists. If you created this account at install time, (or if it already exists on your Server), then you can enable or disable anonymous user access. The Anonymous Logins page allows you to turn anonymous user access on and off without having to delete an anonymous FTP user account.

To create the anonymous FTP directory, as the super-user run:

$NSBASE/NS-apps/paserver/bin/ftpsetup

Note

You still need to add an entry for user 'ftp' in the system's etc/passwd file. ftpsetup does not do this for you.


Figure 5-14    Access pages, Anonymous Logins screen

Enabling or Disabling Anonymous Users

To enable or disable anonymous user access:

  1. Select the desired setting from the Anonymous Login Options drop-down list.


  2. Click Apply.


    3. Your change is applied.

Setting Criteria for Anonymous Passwords

If your Partner Agent Server is configured to allow anonymous users, you can use the Anonymous Password Options section to control the format of passwords that anonymous users must present when using your Server. Typically, anonymous users must supply their e-mail address as the password to the anonymous user account.

To choose the criteria for anonymous user passwords:

  1. Select an option from the Password required drop-down list. The options are:


    • None    required—no password checking performed.


    • Require user@—   password must contain an @.


    • Require user@host.domain.com—   password must be an rfc822 compliant address, for example user@server.com.


  2. The Server enforces or warns users of your password policy. Select the desired option from the Password checking drop-down list. The options are:


    • Notify User of Requirement—   warn the user, but allow them to log in.


    • Enforce Password Requirement—   warn the user, and then require them to re-authenticate.


  3. Click Apply.


    4. Your changes are applied.

Filesystem Restrictions

The Filesystem Restrictions page allows you to control the ability for specific user types to modify files and directories on the Partner Agent Server. You can specify restrictions that allow or deny the operations that users can perform on files and directories on the Server.

There are seven operations that can be allowed or denied. They are:

  • Delete a file—determines whether or not a user class may delete files on the Server.


  • Rename a file—determines whether or not a user class may rename files on the Server.


  • Overwrite a file—determines whether or not a user class may overwrite existing files on the Server.


  • Make a directory—determines whether or not a user class may create directories on the Server.


  • Remove a directory—determines whether or not a user class may remove directories from the Server.


  • Change file mode—determines whether or not a user class may change file access permissions on the Server.


  • Change Umask—determines whether or not a user class may change the access permissions mask for new files being uploaded to the Server.


Figure 5-15    Access pages, Filesystem Restrictions screen

Adding a New Filesystem Restriction Entry

To add a restriction entry that allows or denies an operation:

  1. Select an operation from the Operations drop-down list.


  2. Select Yes or No to allow or deny the operation. Select an option from the Allowed drop-down list.


  3. Select the desired user class from the User Class drop-down list.


  4. Enter the path name for which the restrictions apply, in the Path field.


  5. Click Apply.


    6. The rule is added to the list of Current Filesystem Restriction Entries, with a status of Disabled.

Enabling or Disabling a Filesystem Restriction Entry

To enable or disable a filesystem restriction entry, click Enable or Disable, next to the desired entry.

Editing a Filesystem Restriction Entry

To edit a filesystem restriction entry in the list of Filesystem Restriction Entries:

  1. In the Action column next to the desired filesystem restriction entry, click Edit.


  2. Make the desired changes in the fields and drop-down lists in the Edit Filesystem Restriction Entry section above the list of Current Filesystem Restriction Entries.


  3. Click Apply.


    4. Your changes are reflected in the list of Current Filesystem Restriction Entries.

Deleting a Filesystem Restriction Entry

To delete a filesystem restriction entry, in the Action column next to the desired entry, click Delete.

Upload Restrictions

You can grant or revoke permission for users to upload files and to create directories. Partner Agent Server gives you per user control of upload and directory creation permissions. You can also control the owner, group and access permissions of uploaded files. The Upload Restrictions page is where you view, create and edit upload and directory creation restriction rules.

Figure 5-16    Access pages, Upload Restrictions screen

Rules are applied in top-down order as they are displayed in the list of upload and directory creation restrictions. This allows you to deny upload permission for a user's account (directory would be *) and then have a following restriction that only enables uploads for a particular subdirectory.

Adding a New Upload Restriction Entry

To create a new upload restriction:

  1. Enter the pathname of the directory to be affected by the restriction, in the Upload Directory field. UNIX wildcards such as * are allowed. All directories must be specified based on the file system root in use by the user. For anonymous FTP, this is the directory specified in the FTP user account. For example, if the FTP hierarchy is rooted in /home/ftp, and the directory is /home/ftp/incoming, you must only specify /incoming as the upload directory. Similarly, for virtual users, this is the virtual root directory specified in the virtual password file. For example, if the virtual root is /home/ftp/virtual/user1 and you want to restrict uploads to this directory, specify / as the upload directory.


  2. Select Yes or No to allow or deny uploads. Select from the Allowed drop-down list.


  3. Select a user class from the User Class drop-down list.


  4. If you want to specify the owner, regardless of who uploads a file, select an upload owner from the Upload Owner drop-down list.




    5. Note

    The ownership of the uploaded file is established after the file is successfully uploaded to the Server.


  5. If you want to specify the group membership of a file regardless of the group of whoever uploads a file, select an upload group from the Upload Group drop-down list.


  6. If you want to have the file mode of uploaded files be other than the default umask mode of the user doing the uploading, change the file mode. Enter the file mode in the File Mode field.




    7. Note

    The file mode is set when the file is opened for writing at the start of an upload.


  7. Click Add Entry.


    8. The restriction is added to the list of Current Upload Restriction Entries, with a status of Disabled.



    Note

    Rules are applied in top-down order as they appear in the list. Therefore if you are listing multiple rules for a single user class you should list the broadest rules first (e.g. deny uploads for subdirectory *) followed by the narrower rules (e.g. allow uploads for subdirectory /incoming).


Enabling or Disabling an Upload Restriction Entry

To enable or disable an upload restriction entry, click Enable or Disable, next to the desired entry.

Editing an Upload Restriction Entry

To edit an upload restriction entry from the list of Upload Restriction Entries:

  1. In the Action column next to the desired upload restriction entry, click Edit.


  2. Make the desired changes in the fields and drop-down lists in the Edit Upload Restriction Entry section above the list of Current Upload Restriction Entries.


  3. Click Apply.


    4. Your changes are reflected in the list of Current Upload Restriction Entries.

Deleting an Upload Restriction Entry

To delete an upload restriction entry, in the Action column next to the desired entry, click Delete.

Download Restrictions

You can allow or deny access to specific directories for downloading files by user class. The Download Restrictions page is where you create, view and edit Download restrictions.

Figure 5-17    Access pages, Download Restrictions screen

Adding a New Download Restriction Entry

To add a download restriction entry:

  1. Enter the pathname of the directory to be affected by the restriction, in the Download Directory field. UNIX wildcards such as * are allowed. All directories must be specified based on the file system root in use by the user. For anonymous FTP, this is the directory specified in the FTP user account.


  2. Select Yes or Now to allow or deny downloads. Select an option from the Allowed drop-down list.


  3. Select the desired user class from the User Class drop-down list.


  4. Click Add Entry.


    5. The restriction is added to the list of Current Download Restriction Entries, with a status of Disabled.

Enabling or Disabling a Download Restriction Entry

To enable or disable a download restriction entry, click Enable or Disable, next to the desired entry.

Editing a Download Restriction Entry

To edit a download restriction entry from the list of Download Restriction Entries:

  1. In the Action column next to the desired download restriction entry, click Edit.


  2. Make the desired changes in the fields and drop-down lists in the Edit Download Restriction Entry section above the list of Current Download Restriction Entries.


  3. Click Apply.


    4. Your changes are reflected in the list of Current Download Restriction Entries.

Deleting a Download Restriction Entry

To delete a download restriction entry, in the Action column next to the desired entry, click Delete.


Previous     Contents     Index          Next     

Copyright © 2000 Sun Microsystems, Inc.
Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.
Last Updated December 04, 2000