I do not consider this an article related to SDL Tridion, as covers an standard way of restrict access to applications using IIS, but as I have run into this scenario several times already in the context of a SDL Tridion implementation, I wanted to publish this post as maybe is interesting for somebody.
Problem to deal with
Many times we want to restrict the access to several applications to a certain users or a group of users without changing the security settings in an application.
For example, you do not want all the users in the system to be able to open Template Builder, Use Content Porter, etc...
You can apply restrictions using:
- Security and Permissions model of SDL Tridion:
- This security is more related to access items, allow actions within the CMS (As Editing, Publishing, etc...), not for secure access to applications installed in IIS
- Hide the access (CMS Buttons) to those tools based on the user permissions:
- In that case the urls are still reachable for the user (Neither a good option)
Using the following approach you can easy restrict access to the applications using the default feature for authorization in IIS.
First thing first: Understand Authentication and Authorization
If is not clear for you what is Authentication and what is Authorization, please have a look at the following links:
Authentication: http://en.wikipedia.org/wiki/Authentication
Authorization: http://en.wikipedia.org/wiki/Authorization
Choose the applications you want to restrict access
Before you proceed with any changes, identify which are the requirements for restrict access.
Example:
- You want to allow access to Template Builder in an specific environment only for a specific group of users.
- You want to avoid external clients calling the Core Service even if those clients connect using a valid user within the CMS (Somebody could just create an script that runs a massive update of components in the CMS and test in production accidentally).
- You want to avoid certain users/groups using Content Porter
Once you have analyzed your security cases, you expand the Website Node to access the Applications
Authorization Settings
You can access the Authorization Settings for the application you want to secure
Authorization Rules
Open the Authorization Rules Feature and click in Add Deny Rule
Deny Rules
Add the Deny Rules based on your criteria (Based on users, groups, etc...)
Some notes:
- This approach is used when your security is based on Windows Authentication
- Preferably set groups instead users
- The Group you configure is a Group defined in Windows, not a group defined in SDL Tridion, but the users within this group must be created in SDL Tridion also
No comments:
Post a Comment