rootdir_security
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
rootdir_security [2022/02/11 12:41] yves [Public vs private] |
rootdir_security [2023/11/21 16:14] (current) chris |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ===== Security ===== | ===== Security ===== | ||
| - | Security is increasingly important. As PMA.core has been deployed in increasingly complex scenarios over the years, its security features have evolved, too. | + | Security is increasingly important. As PMA.core has been deployed in ever-more complex scenarios over the years, its security features have evolved, too. |
| Security pertaining to root-directories is situated at two levels: | Security pertaining to root-directories is situated at two levels: | ||
| Line 7: | Line 7: | ||
| * Configure public/secret key combinations for S3 resources | * Configure public/secret key combinations for S3 resources | ||
| * Configure account credentials to be used when accessing a UNC network resource path | * Configure account credentials to be used when accessing a UNC network resource path | ||
| - | * Prevent users from access mounted content through root directories that they are or are not allowed to do | + | * Prevent [[user_management|users]] from access mounted content through root directories that they are or are not allowed to do |
| * Define Access control lists | * Define Access control lists | ||
| Line 16: | Line 16: | ||
| Based on the type of data storage that a root directory's mounting point refers to, the configuration offers different options: | Based on the type of data storage that a root directory's mounting point refers to, the configuration offers different options: | ||
| - | === Local hard disk entry points === | + | * [[rootdir_local|Local hard disk entry points]] |
| + | * [[rootdir_network|Network storage and UNC paths]] | ||
| + | * [[rootdir_s3|S3 storage]] | ||
| + | * [[rootdir_azure|Azure storage]] | ||
| - | If you want to expose a local folder on the server's hard disk as a root directory in PMA.core, the simplest way to do this is by giving the IIS user account access rights to the folder using the Windows Explorer: | + | ==== Public vs private ==== |
| - | {{ :rootdir_local10.png?direct&400 |}} | + | As you grow your number of [[user_management|users]] and root-directories, you might want to change the default setting that everybody is allowed to see everything. |
| + | Therefore, root-directories can be marked "public" or "private": | ||
| - | === Network storage (UNC paths) === | + | {{ :rootdir_public_private_switch.png?direct&200 |}} |
| - | Pathomation runs under a certain application pool. This application pool is associated with a user identify, which may not have access to the network path that you try to access. Giving access for the application pool to access the network resource may be difficult for a variety of reasons. | + | Public root directories are marked "public", this means every user has access to them. They can be accessed by anybody who is a registered user in [[user_management|the PMA.core user repository]]. |
| - | If you can't immediately access the network path with default (i.e. application pool) credentials, you can provide additional information. | + | Private root directories are marked "private", which means only select users can see the content. Private root dirs are only accessible by those who have been explicitly given access to the folder through the directory's [[rootdir_security#access_control_list|access control list]]. |
| - | In the case below we've created a dedicated pma_read user that is permitted to acces the shared \\MALTA1767\reference path: | + | ==== Access control lists ==== |
| - | {{ :rootdir_network10.png?direct&400 |}} | + | Once marked private, you can select which users are allowed to see the content of a given root directory, and which ones aren't: Do this by pressing the "Edit access control list" link after you have selected the "private" option: |
| + | {{ :acl.png?nolink&400 |}} | ||
| - | === S3 storage === | + | An interactive overview grid is available via the Root directories management view: |
| - | === Azure storage === | + | {{ :rootdir_acl_20.png?direct&400 |}} |
| + | It is useful to get an overview of who has access to what. For that, you can request the ACL report from the root-directories view. | ||
| - | ==== Public vs private ==== | + | {{ :overview.png?nolink&400 |}} |
| - | As you have more users and more root-directories, it becomes undesirable that everybody is allow to see everything. | + | The resulting report looks like this: |
| - | Therefore, root-directories can be marked "public" or "private": | + | {{ :overview2.png?nolink&400 |}} |
| - | Public root directories are marked "public", it means every user has access to them. They can be accessed by anybody who is a registered user in the PMA.core user repository. | ||
| - | |||
| - | Private root directories are marked "private", it means only select users can see the content. They are only accessible by those who have been explicitly given access to be allowed to access the folder through the directory's [[acl|access control list]]. | ||
| - | |||
| - | ==== Access control lists ==== | ||
| - | |||
| - | Once marked private, you can select what users are allowed to see the content of the root directory, and which ones aren't: Do this by pressing the "Edit access control list" link after you selected the "private" option: | ||
| - | |||
| - | {{ :acl.png?nolink&400 |}} | ||
rootdir_security.1644572494.txt.gz · Last modified: 2022/02/11 12:41 by yves
