Access
The Access tab allows you to grant or deny access to a hosted web site. You can specify the whole site or individual sub-folders.
You can allow or deny access for individual IP addresses, users (local or specifically defined), and groups and other account types.
Selecting the Access tab reveals a list of currently defined access rules.
Figure. Access tab.
| Button |
Description |
|---|---|
|
Add |
Click the button to add an access rule, the Access dialog opens. |
|
Edit |
Select a rule and click the button to edit this rule. The Access dialog opens. |
|
Copy |
Select a rule and click the button to copy its settings. Handy when creating a rule with similar settings. |
|
Delete |
Select a rule and click the button to delete this rule. |
|
Arrows |
Select a rule and click one of these buttons to move it up or down in the list. Note: Rules are evaluated according to their order in the list. When one of rules is met, all others (later ones) are not used. Example: You want to grant John Doe (only him) access to some location. Create one rule that grants him access and second one that denies access to anyone else. The rule granting access has to be most highly in the list. |
In the Access dialog, you specify the location you wish to protect and the resource(s) you are protecting it from.
You should be aware that unless you specifically Deny access to something everyone will have access. If you want to restrict access to a particular web site, you should Grant access to the specific user(s) and then Deny access to everyone else.
Note: To deny someone access and grant all others is meaningful only if you specify IP addresses (not only usernames), as the server knows IP addresses but not usernames when users are trying to enter the resource.
You should also be aware that if you wish to specify a local user in the Username field, you should enclose it in square brackets to let IceWarp Server know it should check its own database for password verification - this is done automatically if you use the "..." button to select a user, group or domain.
Figure. Access dialog.
| Field |
Description |
|---|---|
|
URI |
Enter a specific URI to allow or deny access to. (optional) Note: If set, it has to end with "/*" (slash and asterisk) to work for all items within the folder. |
|
IP |
Enter IP address that will be allowed or denied. (optional) Note: If you leave this field blank, you grant/deny everyone access. |
|
Not |
Check this box to logically "NOT" the IP range. In the above example, access is granted to the /admin/ directory from any IP address except 192.168.*.* |
|
Access |
Choose whether access will be granted or denied with this rule. |
|
Basic HTTP Authentication |
Check the box if you want to use basic HTTP authentication - a user has to fill their user name and password into a usual dialog shown before entering the URI specified above. |
|
Kerberos/SSO HTTP Authentication |
Check the box if you want to use the Kerberos/SSO HTTP authentication (for more information refer to the Domains and Accounts - Domain - Directory Service chapter - Kerberos/GSSAPI/SSO section.) Credentials provided by users when they log into Windows are used. Note: Both these possibilities can be used. IceWarp Server sends information to the browser. In the case this browser supports Kerberos/SSO authentication, a login dialog is not shown. |
|
User is authenticated independently |
Select this possibility if you want to check users against data set in the Username and Password fields (see lower). |
|
User is authenticated against system accounts |
Select this possibility if you want to check users against all IceWarp Server system accounts. |
|
Username |
Enter a specific user name that will be allowed or denied. (optional) Note: If you leave this field blank, you grant/deny everyone access. |
|
Password |
Enter a password for the user name specified above. |
|
Kerberos service |
Fill in the Kerberos service name. For more details, refer to the Domains and Accounts - Domain - Directory Service chapter - Kerberos/GSSAPI/SSO section - Service name field. |
|
Kerberos keytab |
Use the "..." button to select keytab files. For detailed information, refer to the Domains and Accounts - Domain - Directory Service chapter - Kerberos/GSSAPI/SSO section - Place keytab files ... field. |
|
User condition |
Use the "..." button to select a system user, access to be granted/denied to. Note: If this field is used, the Username column (the Web Site dilaog - Access tab) is left blank. |
|
User is domain administrator |
Check this box to allow all local system domain administrator accounts access to the web site with their username/password. Note: Do not Check both these boxes as users cannot have both these roles. It would prevent access for all users. |
|
User is administrator |
Check this box to allow all local system administrator accounts access to the web site with their username/password. Note: Do not Check both these boxes as users cannot have both these roles. It would prevent access for all users. |
