Extended Security Control

Extended Security Control v11

Extended Security Control provides administrators with more fine-grained central control of the features accessible for users in the client and web interface. It is possible to centrally disable certain features for clients, e.g. permission to change preferences or creating new folders. These settings are saved per-user.

To enable Extended Security Control click on Preferences > Security > User Account Security as an admin and enable the checkbox on the Enable Extended Security Control option.Enable Extended Security Control

 Extended Security Control can also be enabled in the PowerFolder Server Configuration File.

Changes when enabling Extended Security Control

Adds new options to user account preferences in the web interface to control permissions in PowerFolder Clients:

• Change preferences
• Change transfer mode
• Create folders
• Remove folders

Removes folders on the local computer if permission to the folder is revoked for the specific user account (remote deletion / remote wipe).

Security Control	Role	Displayed User-Action	Remove Permission		Delete Folder				Description
			Own	Other Member	Online	Own		Other Member
						Local Device	Other Devices	All Devices
Default	Member	Leave folder				/*			Folder will be left online, the member will not be able to access the online backup of the folder. Files on other Devices won't be affected. Other Users won't be affected.
	FolderAdmin/ Owner	Delete folder				/*			Folder will be deleted online. This affects all Users. Local folders and other Devices won't be affected.
Extendend	Member	Leave folder				/*			Folder will be left online, the member will not be able to access the online backup of the folder. Files on other Devices will also be deleted. Other Users won't be affected.
	FolderAdmin/ Owner	Delete folder				/*			Folder will be deleted online and on all other Devices. Folder can't be restored anymore. This affects all Users.

* Local folder can be deleted by checking the "Remove archived files and meta-data"-checkbox within the "Stop Sync"-dialogue, not deleted local folders won't be affected by the "Leave/Delete folder"-action.

Adds the possibility to set a Valid from date in the user account preferences in the web interface. Access is being denied before the set date.

Automatic assignment of permissions and quotas by domain name

The GWDG (Gesellschaft für wissenschaftliche Datenverarbeitung Göttingen mbH) created scripts to automatically assign Extended Security Control permissions and quotas to users during their first login and based on the domain name. The script makes use of the Login Callback and Accounts API. The script is written for usage on Linux servers. For Windows we currently provide no example script. Please check the our API documentation for calls you can use in a batch script on Windows servers.

Download: powerfolder-login-callback-gwdg_20140324.tar.gz

 The script itself is licensed under the under the Apache License, Version 2.0 (see http://www.apache.org/licenses/LICENSE-2.0). In the future it will be hosted via a GitHub repository on the GWDG servers.  Thanks to Tibor Kalman and Benedikt Wegmann for providing us with that script!

 Please note: Though we tested this script and it already works properly for the GWDG, we can give no guarantee that it also works properly in your case as it is still under development and may be subject to changes!

To use the script, please follow the steps below:

1. Download and extract the script to a suitable location. Usually it is placed under the home directory of the user running the PowerFolder Server, e.g. /home/powerfolder/login-callback. If you are placing it in a different path, please make sure you change the PROGDIR variable in the powerfolder-tibor-login.sh script:

   powerfolder-tibor.login.sh

   PROGDIR="/home/powerfolder/login-callback"

2. Change the variables PFSADMIN, PFSPASS and PFSURL in the scripts powerfolder-tibor-permission.sh and powerfolder-tibor-quota.shto match the admin account and password as well as the URL to your servers web interface.

   powerfolder-tibor-permission.sh / powerfolder-tibor-quota.sh

   PFSADMIN="admin"
   PFSPASS="password"
   PFSURL="http://localhost:8080"

3. To set permissions and quotas you first have to create a realm and assign domains with regular expressions in the file gwdg_realm2policygroupto them.

   gwdg_realm2policygroup example

   # Creating realm 'group1' for internal users and realm 'group2' for users from a different company. Others will end up in the "nothing" policy defined in the gwdg_policy2attribute file.
   group1	^example\.com$|\.example\.com$
   group2	^powerfolder\.com$|\.powerfolder\.com$

4. Now we assign permissions and quotas in the file gwdg_policy2attributeto the realms. The realm "nothing" is used, when no matching domain has been found.

   gwdg_policy2attribute example

   ###
   ### Group 1 (internal users)
   ###
   group1	quota=2
   group1	FolderCreate=yes
   group1	FolderRemove=yes
   group1	ChangePreferences=yes
   ###
   ### Group 2 (users from a different company)
   ###
   group2	quota=1
   group2	FolderCreate=yes
   group2	FolderRemove=yes
   group2	ChangePreferences=no
   ###
   ### Others (users not matching a realm)
   ###
   nothing		quota=0
   nothing		FolderCreate=no
   nothing		FolderRemove=no
   nothing		ChangePreferences=yes

5. Last step will be to invoke the script when a user logs into the server via a client of web interface. Please add the entry below to the Server Configuration File and restart PowerFolder Server after that.

   PowerFolder.config Server Configuration File

   login.script=/home/powerfolder/login-callback/powerfolder-tibor-login.sh