Access Control

Owned by Anjali Tyagi
Last updated: May 01, 2024
5 min read

Access control allows for coarse to fine-grained control over which users may access the system and which content will be available to them. It is a framework for managing and controlling user identities and configuring access policies based on user authentication and specific permissions.

The whole access control setup is divided into three parts:

  • Connect – This is where the connection to an external identity management system (IDSYS) is set up. This system defines the users and groups that may access the system.

  • Configure – This is where the access policies are defined, allowing or denying access to users.

  • View – An overview of the setup to ensure everything is correct before the settings are applied to the system. If any changes are still required, it will lead to that specific step.

View

View is the default page for those accessing the access control. Until changes are applied, it will show the original IDSYS and access policy settings.

The View page provides an overview of the whole access control setup.

image-20240402-042414.png


An edit icon is provided with each section. On click, it leads to the specific page to make the required changes.

Click View JSON to view the global JSON.

Connect

To view or edit an existing IDSYS connection to the server, refer to the following steps:

  1. Go to Dashboard > User Drop-down > Settings.

  2. By default, Connect is selected from the left pane. This page contains the existing IDSYS connection details.

  3. Click on the to edit specific connection details.

Basic Details

This section controls which type of identity management system will be used, and allows entry of a human-friendly name and description of the connection.

Caution

Changing the Connection Type will clear all values on subsequent steps.

image-20240415-081352.png

  1. Enter a name and optionally a description for the connection to the identity management system.

  2. Select the preferred connection type, either Active Directory or LDAP. Switching between connection types prompts a pop-up:

    Upon clicking Update, all values on subsequent steps will be reset.

  3. If there is no change in the IDSYS type, click Save and Continue.

Active Directory

  1. For AD server connection:

    1. Host – Either an IP address or hostname of the Active Directory server.

    2. Port – Port the AD service is running on.

    3. Admin DN – DN is used to bind the AD server for queries.

    4. Admin Password – Password for adminDN user.

    5. Click Save and Continue.

  2. Enter user and group details as defined within Active Directory:

    1. User Base – DN where users are defined.

    2. UID Attribute – Attribute name containing the user's ID. Examples:

      1. This should be "sAMAccountName" for Active Directory.

    3. User Filter – Filter for user objects. Example: objectclass=account

    4. Group Base – DN where groups are defined.

    5. Group Member UID – Group attribute whose values contain the UID of the member.

    6. Click Save and Continue to proceed to Token Admin settings.

LDAP

  1. For LDAP connection:

    1. Host – Either an IP address or hostname of the LDAP server.

    2. Port – The Port number of the LDAP server where it is running.

    3. Admin DN – DN is used to bind the LDAP server for queries.

    4. Admin Password – Password for admin DN user.

    5. Click Save and Continue.

  2. Enter the user and group details defined within the LDAP directory.

    1. User Base – DN where users are defined.

    2. UID Attribute – Attribute name that contains the user's ID. Examples:

      • Example: "uid" for OpenLDAP and ApacheDS

    3. User Filter – Filter for user objects.

      1. Example: "objectclass=account"

    4. Group Base – DN where groups are defined.

    5. Group Member UID Attribute– Group attribute whose values contain the UID of the member.

      1. Example: "memberUid" if OpenLDAP is configured for groups with objectclass=posixgroup

    6. Click Save and Continue to proceed to Token Admin settings.

Token Administrator

  1. Enter the username for the token administrator. This is the user who has access to manage tokens belonging to other users.

  2. If there are no further changes in the IDSYS configuration and you want to go to the summary page, click Skip to Summary. Else, click Next: Configure to continue with the configuration. Please refer to steps 4 onwards in Configure.

Viewing IDSYS JSON

Click Switch to JSON to view the JSON definition used for the IDSYS connection. The same page also provides an option to switch back to the UI.

Caution

Do not edit JSON unless instructed to do so by DataCore Support Team.

Configure

Initial Configuration of Access Control Policy

When configuring an access control policy, validate that it has correct privileges. Failure to do so may result in a complete lock-out of user access. Define an initial rule that grants administrative access to specific users and/or groups. Beyond that, basic access may be granted similarly.

Initial Administrator Access

This access is essential to ensure that an administrator has access to the system at all times.

  1. Remove any rules from the default access control policy.

  2. Click Add Policy to create the first rule.

  3. Choose Custom.

  4. Template/Basic Details:

    1. Give the new rule a descriptive name.

    2. Choose the Full Access for Users template.

    3. Click Next: Principal.

  5. Principal

    1. Un-select All Users.

    2. Select Selected Users/Groups.

    3. Specify which users and/or groups should have administrative access.

    4. Click Next: Actions.

  6. Actions

    1. Ensure Allow All is selected.

    2. Click Complete.

  7. The rule should now be present in the access control policy rule list. Click Next: Summary to continue.

  8. Review the settings for Connect and Configure. Once done, click Update to commit the changes.

Granting Access to Users

The simplest way to grant resources to users is to create buckets as an administrator and update the owner to the desired user.

Create Access Rule

  1. From the Dashboard, choose Settings in the user drop-down menu.

  2. Click Configure from the left menu pane.

  3. Click Add Policy to add a new rule.

  4. Choose Custom.

  5. Basic Details/Template.

    1. Give the rule a descriptive name.

    2. Choose the Custom template.

    3. Click Next: Principal.

  6. Principal

    1. Verify that All Users and/or All Groups are selected.

    2. Click Next: Actions.

  7. Actions

    1. Verify that Allow Select is selected.

    2. Select the following actions (including under the Advanced section):

      1. Inspect domain

      2. Inspect bucket

      3. Inspect quota

    3. Click Complete.

    4. Review the change and click Update to commit the change.

    5. Changes to policy will take effect approximately 60 seconds after they are committed.

Provision Buckets

Repeat these steps for any buckets to be given to content users.

  1. From the Dashboard, click Manage Content. This will open the Content Portal in a new tab.

  2. In the Content Portal, create a new bucket.

  3. Click on the bucket name in the list to open the bucket.

  4. In the upper right, open the “cog” menu and choose Properties.

  5. Change the name of the owner to the desired user.

  6. Click Save to commit the change.

The user should now have access to browse and manage all aspects of the bucket.

For more advanced access control policy, see Gateway Access Control Policies.

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.