KBEC-00022 - Restricting logins or access to projects

Beginning with ElectricCommander version 3.7, the information contained in this KB article is superceded by the information available in ElectricCommander online help. To view the updated information, see the Access Control online help topic.

Summary

This article describes how to manage access in ElectricCommander so only a select group of users from within a larger AD/LDAP group or local Commander groups can gain access to projects or create login sessions.

When ElectricCommander is installed at a large company, there may be thousands of users listed in the AD/LDAP system and, by virtue of AD/LDAP inclusion, have access to ElectricCommander. By default, all users are able to log in and read and execute procedures in any project. This solution describes a way to limit user's Commander access, while still providing access to authorized users.

• The first step is to create a group of authorized users. This can be a local group within ElectricCommander, or it can be a group defined and maintained in the AD/LDAP system. After the group is defined, an access control entry (ACE) is created to grant permissions to this group.

• For ElectricCommander to work, the projects themselves must have permission to access resources and sometimes (for example, when ElectricSentry is running) to access each other. The next step is to create a group that contains the names of all "project principal" users and to grant permissions to that group, which can be a manual process or you can use the automatic procedure described below.

• The final step is to remove the permission granted to all users by default. All AD/LDAP users will be allowed to log in to ElectricCommander, but they will not have rights to any objects, so they cannot see, modify, or execute anything.

Solution

Create a Commander group of authorized users

• Create a group using the UI (Administration > Groups > Create Local Group) or using ectool. A reasonable name would be "Authorized Users".

• Add the names of the authorized users or groups (one per line) to the group. If you don't know a users AD/LDAP group, the Administration > Users display lists a "Repository", useable as a group entry.

• Create a new ACE at the Server level (Administration > Server > Server Access Control > Add Group).
  • Enter "Authorized Users" as the group name.
  • Set Read and Execute permissions to "Allow".
  • Set Modify and Change permissions to "Don't Care" (Inherit).

Create a Commander group containing all project principals

• Create a group using the UI (Administration > Groups > Create Local Group) or using ectool. A reasonable name would be "All Project Principals". Alternatively, you can create a procedure that performs this task automatically, based on the description below.

• Add the names of each project principal (one per line) to the group. If you don't know a users AD/LDAP group, the Administration > Users display lists a "Repository", useable as a group entry.

• Create a new ACE at the Server level (Administration > Server > Server Access Control > Add Group).
  • nter "Authorized Users" as the group name.
  • Set Read and Execute permissions to "Allow".
  • Set Modify and Change permissions to "Don't Care" (Inherit).

The following procedure places the ACL project restrictions in place automatically.

• Note: You must code your own admin user password into the script. The password is necessary so the procedure does not leave out any projects for which it lacks Read permission. Because the password is included, you should keep it in a project with restricted access.

Procedure Name: All Project Principals     Step Name: Update Group      Resource: local         Shell: ec-perl    Command(s): use strict;                use ElectricCommander;                $| = 1;                # Connect to the server.                my $ECommander = new ElectricCommander->new();                # login as admin so that the query finds ALL projects, even                # those with restricted permissions                InvokeCommander("SuppressResult", "login", "admin", "changeme");                # Loop over all projects                my $xPath = InvokeCommander("SuppressResult", "getProjects");                my $nodeset = $xPath->find('//project');                my @projectPrincipals;                foreach my $node ($nodeset->get_nodelist)                {                    my $projectName = $xPath->findvalue('projectName', $node);                    push (@projectPrincipals, "project: $projectName");                }                # Create the AllProjects if it does not exist (an error is OK)                InvokeCommander("SuppressResult IgnoreError", "createGroup",                                "All Project Principals");                # Update the AllProjects group                $xPath = InvokeCommander("SuppressResult", "modifyGroup",                                         "All Project Principals",                                         {"userName" => \@projectPrincipals});                #-------------------------------------------------------------                #  Log and Run a Commander Function                #                #  Params                #       optionFlags - "AllowLog" or "SuppressLog" or                #                     "SuppressResult" combined with                #                     "IgnoreError"                #       commanderFunction                #       Variable Parameters                #           The parameters required by the Commander function                #           according to the Perl API (the functions and                #           paramenters are based on "ectool" - see the                #           ectool PDF file for documentation)                #                #  Returns                #       An xPath with the result.  It will be undefined                #       if there is an error.                #-------------------------------------------------------------                sub InvokeCommander {                    my $optionFlags = shift;                    my $commanderFunction = shift;                    my $bSuppressLog = $optionFlags =~ /SuppressLog/i;                    my $bSuppressResult = $bSuppressLog ||                                          $optionFlags =~ /SuppressResult/i;                    my $bIgnoreError = $optionFlags =~ /IgnoreError/i;                    #  Log and Run the function                    print "Request to Commander: $commanderFunction\n"                           unless ($bSuppressLog);                    $ECommander->abortOnError(0) if $bIgnoreError;                    my $xPath = $ECommander->$commanderFunction(@_);                    $ECommander->abortOnError(1) if $bIgnoreError;                    # Check for error return                    if (!$xPath) {                        my $errMsg = $ECommander->getError();                        if (defined($errMsg) && $errMsg ne "") {                            print($errMsg);                        }                    }                    else {                        print "Return data from Commander:\n" .                                $xPath->findnodes_as_string("/") . "\n"                               unless $bSuppressResult;                    }                    # Return the result                    return $xPath;                }

Remove the default permission for the "Everyone" group

• Go to Access Control for the Server (Administration > Server > Server Access Control).
• Find the entry for the group "Everyone" and click "Edit".
• Change all four permissions to "Don't Care" (Inherit).

Allow selected AD/LDAP groups the ability to login

• Find the Server Property Sheet of the System Access Control. Go to: Administration -> Server -> System Access Control.
• Click on the "Session" Category.
• Select "Add Group" then enter the name of the local or AD/LDAP group you want to give login access.
• Change Read and Execute permissions to "Allow".