Limiting Access to Areas of Your Server

This section describes some commonly used restrictions to a server and its contents. The steps for each procedure detail the specific actions you must take. However, you still must complete the steps described in Setting Access Control for a Server Instance.

This section contains the following topics:

• Restricting Access to the Entire Server

• Restricting Access to a Directory

• Restricting Access to a File Type

• Restricting Access Based on Time of Day

• Restricting Access Based on Security

• Securing Access to Resources

• Securing Access to Server Instances

• Enabling IP-Based Access Control

Restricting Access to the Entire Server

You might want to allow access to users in a group who access the server from computers in a subdomain. For instance, you might have a server for a company department that you only want users to access from computers in a specific subdomain of your network.

To Restrict Access to the Entire Server

1. Access the Server Manager for the server instance.

2. On the Preferences tab, click the Administer Access Control link.

3. Select the entire server from the drop-down list, click Select, and then click the corresponding Edit button.

   The Access Control Rules For page is displayed.

4. Add a rule to deny access to all.

5. Add another rule to allow access to a specific group.

6. Use From Host to specify the host names and IP addresses you want to restrict.

7. Click Submit to save your changes.

Restricting Access to a Directory

You can allow users in a group to read or run applications in directories, and the subdirectories and files, that are controlled by an owner of the group. For example, a project manager might update status information for a project team to review.

To Restrict Access to Directories

Using the steps described for setting access control for a server instance (see Setting Access Control for a Server Instance), do the following:

1. Access the Server Manager for the server instance.

2. On the Preferences tab, click the Administer Access Control link.

3. Select the desired resource from the drop-down list and click Edit.

4. Create a rule with the default values that deny access to everyone from everywhere.

5. Create another rule allowing users in a specific group to have read and execute rights only.

6. Create a third rule to allow a specific user to have all rights.

7. Deselect Continue for the last two rules.

8. Click Submit to save your changes.

Restricting Access to a File Type

You can limit access to file types. For example, you might want to allow only specific users to create programs that run on your server. Anyone would be able to run the programs but only specified users in the group would be able create or delete them.

To Restrict Access to File Types

1. Access the Server Manager for the server instance.

2. On the Preferences tab, click the Administer Access Control link.

3. Click Regular Expression in the Select A Resource section, and specify the regular expression, for example, *.cgi.

4. Click Edit.

5. Create a rule to allow read access to all users.

6. Create another rule that allows write and delete access only to a specified group.

7. Click Submit to save your changes.

   For file type restriction, you would leave both Continue boxes selected. If a request for a file comes in, the server then checks the ACL for the file type first.

   A Pathcheck function is created in the obj.conf file that might include wildcard patterns for files or directories. The entry in the ACL file would appear as follows: acl"*.cgi";

Restricting Access Based on Time of Day

You can restrict write and delete access to the server during specified hours or on specified days.

To Restrict Access Based on Time of Day

1. Access the Server Manager for the server instance.

2. On the Preferences tab, click the Administer Access Control link.

3. Select the entire server from the drop-down list in the Select A Resource section, and click Edit.

4. Create a rule allowing read and execute rights to all.

   If a user wants to add, update, or delete a file or directory, this rule does not apply and the server searches for another rule that matches.

5. Create another rule denying write and delete rights to all.

6. Click the X link to create a customized expression.

7. Type the days of the week and the times of day to be allowed, for example:

   user = "anyone" anddayofweek = "sat,sun" or(timeofday >= 1800 andtimeofday <= 600)

8. Click Submit to save your changes.

   Any errors in the custom expression produce an error message. Make corrections and submit again.

Restricting Access Based on Security

You can configure SSL and non-SSL listen sockets for the same server instance. Restricting access based on security enables you to create protection for resources that should only be transmitted over a secure channel.

To Restrict Access Based on Security

1. Access the Server Manager for the server instance.

2. On the Preferences tab, click the Administer Access Control link.

3. Select the entire server from the drop-down list in the Select A Resource section, and click Edit.

4. Create a rule allowing read and execute rights to all.

   If a user wants to add, update, or delete a file or directory, this rule does not apply and the server searches for another rule that matches.

5. Create another rule denying write and delete rights to all.

6. Click the X link to create a customized expression.

7. Type ssl="on". For example:

   user = "anyone" and ssl="on"

8. Click Submit to save your changes.

   Any errors in the custom expression produce an error message. Make corrections and submit again.