Setting Web Interface Security: Limiting User Access to Certain Files

Web Interface Security: Limiting User Access to Certain Files

By default, a user can easily browse an entire Job from the web interface if he has a login for the Job. In some situations, however, it may be necessary to restrict which folders are available to which users.

When a user with read-only access views a Job through the web interface, the browser will display one of the following:

If the directory does not contain index.htm, the web-interface displays a directory list (which also includes tools for renaming files, deleting files, etc.).
If the directory includes index.htm, the web-interface displays it rather than display the directory listing. This file can contain HTML or just plain text.

This file must be named index.htm. Other file names, such as index.html will not work.

Because a user without full access is shown the contents of index.htm, if such a file exists, the Web interface allows for access in read-only mode to be restricted only to given folders.

To limit user access to certain files

Make sure the Job's folder does not yet contain a file named index.htm. You will add this file later.
Create a new user. Ensure the Full Access check box is cleared.
Log in to the Vault as the user you just created:
1. In a Web browser, navigate to the Vault address http://server:port. For example, if the Vault is on the local computer with the default port, type http://localhost:80. The login page appears.
2. Click Login to the Web interface. The login page appears.
3. Type the Job name and the user name and password for the new read-only user, then click Login. The File Retrieval page appears.
4. Next to Path, above Deleted Items, click root. This expands the URL in the browser's Address field.
5. Append the path to the top-most subdirectory to which you want the user to have access. This should be in the form of subdirectory1/subdirectory2/subdirectory3. Provide this URL to those who need access to the directory.
Put the index.htm file in the Job folder's root and in any other subdirectory you want restricted.

Your users do not need to know their username or password, because this information is encoded in the URL. If they click LEVEL UP at the topmost directory to which they have access or attempt to view the Job's root level, they will only see the index.htm file of the directory they are attempting to access.

Restricting users to certain folders in a Job can only be implemented for users without full (read/write) access to the Job, and it can only be done through the Web interface. Users with read-write permissions or who have access to a computer with an Agent connected to the Job will be able to browse the entire Job. Even if users have only read-only access and are using the Web interface, they will be able to navigate the full directory structure, if they know it, by manually editing the URL. They will be able to see any file whose name they know, as well as the contents of any directory that does not have an index.htm file.

This online help file is for WAFS version 4.3. For other versions, please refer to http://help.globalscape.com/help/index.html.

(If the Index and Contents are hidden, click Show Contents pane in the top left corner of this topic.)

If this help topic did not help you, search the Knowledgebase or pose your question in the GlobalSCAPE User Forum.

For the most up-to-date information, to view version history, updates, and activation instructions; or to download a PDF of this user guide, visit the Support Center at http://www.globalscape.com/support.

Leave compliments or complaints regarding the help in the User Forum. At a minimum, please provide the topic title and why you needed help.

For information about GlobalSCAPE, visit www.globalscape.com, subscribe to our Secure Info Exchange blog, or follow us on Twitter.

Last modified: 29-Sep-14 at 10:59:20