Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

File Server ACLs

resplin
Elite Collaborator
Elite Collaborator
‎06-05-2015 07:40 PM

Obsolete Pages{{Obsolete}}

The official documentation is at: http://docs.alfresco.com



Authorization
The filesystems that are configured in the file-servers.xml file can have access controls applied to restrict access to read, read/write, or no access. The access control blocks can be specified on a per filesystem basis or globally to be applied to all filesystems, or filesystems that do not have their own set of access controls.

The simplest access control block for a filesystem can be used to set the default access :-

 <accessControl default='Read|Write'/>

When the access control block has any rules defined, the default access may also be specified as None. If an SMB/CIFS client is granted None access to a filesystem, then that filesystem will not appear in the browse list of available shares for that client.

The access control block may contain a number of rules that allow or disallow a particular client access to the filesystem. The rules are processed such that the client receives the highest access level.

The following rules are available :-


  • <user name='...' access='Read|Write|None'/>

If the user matches name then grant them access access to the filesystem.


  • <protocol type='SMB|CIFS|FTP' access='Read|Write|None'/>

Grant access depending on the protocol being used to access the filesystem.


  • <address subnet='n.n.n.n' mask='n.n.n.n' access='Read|Write|None'/>

Grant access depending on the client TCP/IP address.


  • <address ip='n.n.n.n' access='Read|Write|None'/>

Grant access to the specified TCP/IP address.


  • <domain name='...' access='Read|Write|None'/>

Grant access to SMB/CIFS clients from the specified domain.

A global access control block may be specified within the Filesystem Security section of the file-servers.xml configuration file. The global access controls are applied to all filesystems that do not have their own specific access controls. Here is an example :-

<globalAccessControl default='None'>
 <user name='admin' access='Write'/>
 <address ip='90.1.0.90' access='Write'/>
</globalAccessControl>

Some sample access control configurations. The first sample makes a filesystem read-only :-

<filesystem name='Alfresco'>
 <store>workspace://SpacesStore</store>
 <rootPath>/app:company_home</rootPath>
 <accessControl default='Read'/>
</filesystem>

The next sample only allows read access to clients in the 90.1.x.x subnet with the admin user being allowed write access :-

<filesystem name='Alfresco'>
 <store>workspace://SpacesStore</store>
 <rootPath>/app:company_home</rootPath>
 <accessControl default='None'>
  <address subnet='90.1.0.0' mask='90.1.255.255' access='Read'/>
  <user name='admin' access='Write'/>
 </accessControl>
</filesystem>

The following sample allows read access for SMB/CIFS with the admin user being allowed write access, but FTP access is not allowed :-

<filesystem name='Alfresco'>
 <store>workspace://SpacesStore</store>
 <rootPath>/app:company_home</rootPath>
 <accessControl default='None'>
  <protocol type='CIFS' access='Write'/>
  <user name='admin' access='Write'/>
 </accessControl>
</filesystem>

Back to Server Configuration

0 Kudos
Copyright © 2025 Khoros, LLC