Extended Security Control
Extended Security Control v14 Picasso
Please note that the function of extended security control is implemented in v14 but we are planning to deactivate it in the future e.g from v14.9 onwards. If you are using the advance security control feature in v14 so you can as administrator control your users that they are not allowed to make folders locally in the client and in the web, hence restricting the users to work with new folders and to restrict them to the old or present folders. Moreover after turning it on the users are unable to change the desktop client preferences and are unable to customize the client as per wish.
The extended security control can be found out in the Server Preferences > Security > User Account Security > Enable Extended security control, to turning it on simply check the option and the service will start new automatically after the changes.
Extended Security Control v11
Extended Security Control provides administrators with more fine-grained central control of the features accessible for users in the client and web interface. It is possible to centrally disable certain features for clients, e.g. permission to change preferences or creating new folders. These settings are saved per-user.
To enable Extended Security Control click on Preferences > Security > User Account Security as an admin and enable the checkbox on the Enable Extended Security Control option.Enable Extended Security Control
Extended Security Control can also be enabled in the PowerFolder Server Configuration File.
Changes when enabling Extended Security Control
Adds new options to user account preferences in the web interface to control permissions in PowerFolder Clients:
- Change preferences
- Change transfer mode
- Create folders
- Remove folders
Removes folders on the local computer if permission to the folder is revoked for the specific user account (remote deletion / remote wipe).
Security Control | Role | Displayed User-Action | Remove Permission | Delete Folder | Description | ||||
---|---|---|---|---|---|---|---|---|---|
Own | Other Member | Online | Own | Other Member | |||||
Local Device | Other Devices | All Devices | |||||||
Default | Member | Leave folder | /* | Folder will be left online, the member will not be able to access the online backup of the folder. Files on other Devices won't be affected. Other Users won't be affected. | |||||
FolderAdmin/ Owner | Delete folder | /* | Folder will be deleted online. This affects all Users. Local folders and other Devices won't be affected. | ||||||
Extendend | Member | Leave folder | /* | Folder will be left online, the member will not be able to access the online backup of the folder. Files on other Devices will also be deleted. Other Users won't be affected. | |||||
FolderAdmin/ Owner | Delete folder | /* | Folder will be deleted online and on all other Devices. Folder can't be restored anymore. This affects all Users. |
* Local folder can be deleted by checking the "Remove archived files and meta-data"-checkbox within the "Stop Sync"-dialogue, not deleted local folders won't be affected by the "Leave/Delete folder"-action.
Adds the possibility to set a Valid from date in the user account preferences in the web interface. Access is being denied before the set date.
Automatic assignment of permissions and quotas by domain name
The GWDG (Gesellschaft für wissenschaftliche Datenverarbeitung Göttingen mbH) created scripts to automatically assign Extended Security Control permissions and quotas to users during their first login and based on the domain name. The script makes use of the Login Callback and Accounts API. The script is written for usage on Linux servers. For Windows we currently provide no example script. Please check the our API documentation for calls you can use in a batch script on Windows servers.
Download: powerfolder-login-callback-gwdg_20140324.tar.gz
The script itself is licensed under the under the Apache License, Version 2.0 (see http://www.apache.org/licenses/LICENSE-2.0). In the future it will be hosted via a GitHub repository on the GWDG servers. Thanks to Tibor Kalman and Benedikt Wegmann for providing us with that script!
Please note: Though we tested this script and it already works properly for the GWDG, we can give no guarantee that it also works properly in your case as it is still under development and may be subject to changes!
To use the script, please follow the steps below:
Download and extract the script to a suitable location. Usually it is placed under the home directory of the user running the PowerFolder Server, e.g.
/home/powerfolder/login-callback
. If you are placing it in a different path, please make sure you change thePROGDIR
variable in thepowerfolder-tibor-login.sh
script:powerfolder-tibor.login.shPROGDIR="/home/powerfolder/login-callback"
Change the variables
PFSADMIN
,PFSPASS
andPFSURL
in the scriptspowerfolder-tibor-permission.sh
andpowerfolder-tibor-quota.sh
to match the admin account and password as well as the URL to your servers web interface.powerfolder-tibor-permission.sh / powerfolder-tibor-quota.shPFSADMIN="admin" PFSPASS="password" PFSURL="http://localhost:8080"
To set permissions and quotas you first have to create a realm and assign domains with regular expressions in the file
gwdg_realm2policygroup
to them.gwdg_realm2policygroup example# Creating realm 'group1' for internal users and realm 'group2' for users from a different company. Others will end up in the "nothing" policy defined in the gwdg_policy2attribute file. group1 ^example\.com$|\.example\.com$ group2 ^powerfolder\.com$|\.powerfolder\.com$
Now we assign permissions and quotas in the file
gwdg_policy2attribute
to the realms. The realm "nothing" is used, when no matching domain has been found.gwdg_policy2attribute example### ### Group 1 (internal users) ### group1 quota=2 group1 FolderCreate=yes group1 FolderRemove=yes group1 ChangePreferences=yes ### ### Group 2 (users from a different company) ### group2 quota=1 group2 FolderCreate=yes group2 FolderRemove=yes group2 ChangePreferences=no ### ### Others (users not matching a realm) ### nothing quota=0 nothing FolderCreate=no nothing FolderRemove=no nothing ChangePreferences=yes
Last step will be to invoke the script when a user logs into the server via a client of web interface. Please add the entry below to the Server Configuration File and restart PowerFolder Server after that.
PowerFolder.config Server Configuration Filelogin.script=/home/powerfolder/login-callback/powerfolder-tibor-login.sh