Access Permissions Using DAF Groups and DAFAUTH.INI

For an overview of this new feature, please read this.

The "DAF File Access Controller" is available as of DAF, release 3.5.

• Add groups information to your users
• Set access permissions for files and directories
• Sample DAFAUTH.INI files

Very Important!

• The DAF File Access Controller will NEVER override NT Permissions for a file or a directory. In other words, if access to a file or a directory is denied by NT permission, setting permissions through the DAF File Access Controller will be useless.
• Before you try to set permission through the DAF File Access Controller I strongly recommend to make sure your files and directories are accessible regarding NT permissions. A good idea is to set NT permission "read" for "Everyone."
• With IIS 4.0, DAF needs (for internal use only) to access an NTFS formatted disk drive. As long as DAF can find an NTFS formatted drive, the "File Access Controller" should work even if DAF35x.DLL, IIS and web directories are on an FAT formatted drive.

1. Add groups information to your users

With an ODBC data source:

The groups information for each web user must be stored in an extra SQL column.

Define column name:

With DAF Configuration Tool 3.5 (and newer) this information must be defined in "ODBC Settings/IP Address & Tables & Fields" in "DAF Groups."

Add groups information to one or several web users in the database:

With you regular database client tool, choose a web user and add groups information in the new column.

A user can belong to several groups. In this case they should be separated by a SEMICOLON, for example: "grp1;grp2;grp3;"

It is possible to leave blank the fields <NT user name> and <NT user password>; in this case, the default IIS user (IUSR_SEVERNAME) will be used.

With a TEXT data source:

With a TEXT database the group information must be defined in each user's line.

The format is:

<web user name>:<web user password>,<NT user name>:<NT user password>#<groups information>@<YYYY-MM-DD>

The following example creates the web user "Thomas" with these properties:

- web password: pass
- NT user mapped: john
- NT password mapped: goodboy
- belongs to DAF groups: "grp1","grp2"and "grp3"
- account expiration date: 1998-10-20

------------------------------------------------------------------------

thomas:pass,john:goodboy#grp1;grp2;grp3;@1998-10-20

------------------------------------------------------------------------

It is possible to leave blank the fields <NT user name> and <NT user password>. In this case, the default IIS user (IUSR_SEVERNAME) will be used.

More information on Text data source

2. Set access permissions for files and directories

Several options described here are available only as of DAF release 3.5 beta 4.

Permissions managed by the DAF File Access Controller must be defined in a simple text file called DAFAUTH.INI copied in each directory for protection. Each DAFAUTH.INI file manages permission for every file under this same directory, the general syntax is:

[<section name1>]
<entry1>=enable or disable
<entry2>=enable or disable
.
.

[<section name2>]
<entry1>=enable or disable
<entry2>=enable or disable
.
.

• <section name> can be one of the following:

Section [PreAuthentication]:
This section is read first, before any other section.

Section [Directory]:
This section defines the default permission for every file in the directory for which no specific permissions are defined in DAFAUTH.INI.

Section [<file name>]:
This section defines permissions for the file <file name>.

• <entry> can be one of the following:

<Group name>:
Any DAF groups defined in a DAF user list.

everybody:
All WEB users.

NTAccount:
WEB User not found in a DAF database and forwarded to NT.

DAFAccount:
WEB User found in a DAF database.

anonymous:
Anonymous WEB user.

authenticated:
Authenticated WEB user.

default:
Last entry called for the current section.

Sequence used to grant or deny access to a file or directory:

• If there IS NOT a file DAFAUTH.INI in the directory:

Access is GRANTED for every request for every group.

• If there IS a file DAFAUTH.INI in the directory:

• The search stops after the first explicit right (enable or disable) was found.
• The order in which sections and entries are written in DAFAUTH.INI does not make any difference.
• If no explicit right (enable or disable) is found, access is denied.

Order followed to search for rights:

 

1. Section [PreAuthentication],
2. Section [<file requested by the WEB user>] (The long file name must be used.)
3. Section [Directory]

For each section, entries are sought in the following order:

 

1. Everybody
2. Anonymous
3. Authenticated
4. Groups which belong to the WEB user
5. .
6. .
7. NTAccount or DAFAccount
8. Default

3. Sample DAFAUTH.INI files

In most cases, there are several ways to setup a unique access configuration for a directory.
The following samples show only one of them for each configuration.

• In a public directory, access to NEWS.HTM is granted for DAF group "grp1" only, access to other files are free:

------------- begin file DAFAUTH.INI ---------------

[NEWS.HTM]
grp1 = enable
default = disable

[Directory]
everybody = enable

------------- end file DAFAUTH.INI -----------------

• In a protected directory, access to NEWS.HTM is free, access to other files is limited to group "grp1":

------------- begin file DAFAUTH.INI ---------------

[NEWS.HTM]
everybody = enable

[Directory]
grp1 = enable

------------- end file DAFAUTH.INI -----------------

 

• For all files in the directory, access is granted to any authenticated users, and denied to all anonymous users:

------------- begin file DAFAUTH.INI ---------------

[PreAuthentication]
Anonymous=disable
Authenticated=enable

------------- end file DAFAUTH.INI -----------------

 

• Access to all files in the directory is granted to group "grp1" and NT forwarded users:

------------- begin file DAFAUTH.INI ---------------

[PreAuthentication]
grp1=enable
NTAccount=enable

------------- end file DAFAUTH.INI -----------------

 

• For all files in the directory, access is granted to anonymous users only, and denied to all authenticated  users:

------------- begin file DAFAUTH.INI ---------------

[PreAuthentication]
Anonymous=enable

------------- end file DAFAUTH.INI -----------------

 

• For all files in the directory, access is granted to any forwarded NT users, and denied to all other users:

------------- begin file DAFAUTH.INI ---------------

[PreAuthentication]
NTAccount=enable

------------- end file DAFAUTH.INI -----------------

 

• For all files in the directory, access is denied to any forwarded NT users and anonymous users; but granted to DAF users:

------------- begin file DAFAUTH.INI ---------------

[PreAuthentication]
DAFAccount=enable

------------- end file DAFAUTH.INI -----------------

 

• Access to "GOLD.HTM" is granted to only group "goldgroup."
• 
  Access to all files (except GOLD.HTM) is granted to group "members."
  Anonymous users can access only REGISTER.HTM:

------------- begin file DAFAUTH.INI ---------------

[register.htm]
everybody=enable

[gold.htm]
goldgrp=enable

[Directory]
members=enable

------------- end file DAFAUTH.INI -----------------

Last update: Thursday, August 31, 2000 07:12