Thursday, February 13, 2014

Restricting Access to an IIS Application Using Authorization Rules


I do not consider this an article related to SDL Tridion, as covers an standard way of restrict access to applications using IIS, but as I have run into this scenario several times already in the context of a SDL Tridion implementation, I wanted to publish this post as maybe is interesting for somebody.


Problem to deal with


Many times we want to restrict the access to several applications to a certain users or a group of users without changing the security settings in an application.
For example, you do not want all the users in the system to be able to open Template Builder, Use Content Porter, etc...

You can apply restrictions using:
  •  Security and Permissions model of SDL Tridion: 
    • This security is more related to access items, allow actions within the CMS (As Editing, Publishing, etc...), not for secure access to applications installed in IIS
  •  Hide the access (CMS Buttons) to those tools based on the user permissions:
    •  In that case the urls are still reachable for the user (Neither a good option)

Using the following approach you can easy restrict access to the applications using the default feature for authorization in IIS. 

First thing first: Understand Authentication and Authorization

If is not clear for you what is Authentication and what is Authorization, please have a look at the following links:
Authentication: http://en.wikipedia.org/wiki/Authentication
Authorization:  http://en.wikipedia.org/wiki/Authorization

Choose the applications you want to restrict access

Before you proceed with any changes, identify which are the requirements for restrict access.
Example: 
  • You want to allow access to Template Builder in an specific environment only for a specific group of users.
  • You want to avoid external clients calling the Core Service even if those clients connect using a valid user within the CMS (Somebody could just create an script that runs a massive update of components in the CMS and test in production accidentally). 
  • You want to avoid certain users/groups using Content Porter
Once you have analyzed your security cases, you expand the Website Node to access the Applications


 

Authorization Settings

You can access the Authorization Settings for the application you want to secure
 

 

 Authorization Rules

 Open the Authorization Rules Feature and click in Add Deny Rule

 

Deny Rules

Add the Deny Rules based on your criteria (Based on users, groups, etc...)
 




Some notes:
  • This approach is used when your security is based on Windows Authentication
  • Preferably set groups instead users  
  • The Group you configure is a Group defined in Windows, not a group defined in SDL Tridion, but the users within this group must be created in SDL Tridion also



Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)