Advanced ColdFusion Administration
Configuring Advanced Security

An Example of ColdFusion Studio Security

This example shows you how to limit ColdFusion Studio access to a specific set of files and/or data sources on a remote server based on username/password authentication.

For this example, assume you are responsible for two development groups, Mars and Venus. Each group needs separate access rules for source files and data sources its current projects. To provide this access, you will:

1. Enable Advanced Security.
2. Specify a user directory for security authentication.
3. Add a security context for RDS security.
4. Specify the file and data source resources to protect.
5. Add a policy for each group of resources/users that you want to give access to the protected set of resources
6. To each Policy add the resources that can be accessed by that policy
7. To each Policy add the users or groups you want to have access to the policy resources
8. Enable ColdFusion Studio security and associate the RDS security context you created with the ColdFusion Studio security.

The following sections detail these steps.

Enabling Advanced Security

Before you can configure anything, you need to turn on ColdFusion Advanced security.

To enable Advanced Security:

1. Open the ColdFusion Administrator and click the Advanced Security link.

   You see the Advanced Server Security page.

2. Select the Use Advanced Server Security check box.

Specifying a User Directory

Once you enable Advanced security, you must select a user directory to use for authenticating users when they try to access files, directories, or data sources from ColdFusion Studio.

To specify a user directory:

1. In the Advanced Server Security page click the User Directories button. You can specify either LDAP or Windows NT directory services. For an NT user directory, enter the server name in the form: domain_name/server_name.
2. Enter the server name or a TCP/IP address for the LDAP option. If you specify an LDAP directory you can fill out the Lookup Start field with uid= and the Lookup End field with ,ou=ou_name,o=org_name. If you leave the Lookup fields blank then the ColdFusion Studio User will have to enter their entire distinguished name rather than just their user name.

Defining a security context

The security context is a container for the rules and policies that apply to specific users and groups.

To add a security context:

1. Open the Advanced Server Security page and click the Security Contexts button.
2. Enter RDSSecurity as the security context name and click Add.
3. In the New Security Context page, enter "Mars and Venus development teams" as the description of the security context.
4. Select the Files and Data Sources check boxes.
5. Click Add.

Specifying resources to protect

When you add a resource to protect, no one is authorized to access that resource until you give permission by adding the resource to a policy and then adding users and groups to that policy. In this example, we want the Mars team to only have access to the mars_dsn and the Venus team to only have access to the venus_dsn. So you need to add three resources to protect.

To add data sources to the RDSService security context:

1. In the Advanced Server Security page, click Resources.

   You see the Resource View page.

2. If the RDSSecurity context is not already current, select it from the Current Security Context drop-down box.
3. In the Resource Browser, select DATASOURCE and then click the Add Resource button at the bottom of the page.

   You see the Add Resource dialog.

4. Enter the * (asterisk) wildcard to protect all data sources and click OK.

   You see the Resource View page again. Now, you'll specify directories to limit access to for each development group.

To add directories to the RDSService security context:

1. In the Resource Browser, select FILE and then click the Add Resource button at the bottom of the page.

   You see the Add Resource dialog.

2. Enter c:\ to protect all files on the C:\ drive and click OK.
3. Repeat steps 1 and 2 to protect the following directories:

   c:\development

   c:\development\mars\*

   c:\development\venus\*

Now that you've explicitly protected all the directories and sub directories and files of interest, move on to defining policies.

Adding policies

Now that you've selected the resources to protect, add two policies, one named MARS and one named VENUS. At the bottom of the Resource View page, you see the Policy Editor for the resource you just specified

To add policies:

1. Click Add Policy.
2. Enter MARS as the name for the new policy and click OK.
3. Write a description of the policy and click OK.

   You see the Resource View page again, showing the policy you just created.

4. Select all the check boxes to protect all actions.

   Now you can add users to the policy.

Granting access privileges

For the moment, no one is authorized to access any files or data sources in the RDSService security context. All of these resources have been protected with the wildcard rule and no one has been granted permission to access them.

To allow a set of users access to these resources:

1. From the Policy page, select the MARS policy. From the MARS policy page, click the Rules button. Notice no rules are currently members of the policy.
2. Click the Add/Remove Button. The rule list is a multi select list so you can select all the rules and add them all at once. For MARS we want to add the following rules:
   • MARS_DSN
   • MARS_R_DIRECTORY
   • MARS_W_DIRECTORY
   • MARS_R_FILES
   • MARS_W_FILES
   • C_R_FILE
   • C_W_FILE
   • C_DEVELOPMENT_R_FILE
   • C_DEVELOPMENT_W_FILE.

     Now the MARS policy has access rights to the mars_dsn and all files in the c:\development\mars directory and sub directories.

3. For VENUS we want to add the following rules:
   • VENUS_DSN
   • VENUS_R_DIRECTORY
   • VENUS_W_DIRECTORY
   • VENUS_R_FILES
   • VENUS_W_FILES
   • C_R_FILE
   • C_W_FILE
   • C_DEVELOPMENT_R_FILE
   • C_DEVELOPMENT_W_FILE.

     Now the VENUS policy has access rights to the venus_dsn and all files in the c:\development\venus directory and sub directories.

Notice we did not add any of the wildcard rules named ALL_ , which protect all data sources and files. The policies only have access to the resources explicitly defined in their member rules. However, the policies have rules, but users still don't have access. The next step is assigning users and groups to the policies.

Assigning users/groups to policies

The last step in defining security for this example, is to add users and groups to the policies you created.

To add users and groups to policies:

1. From the Policy page select the MARS policy and click the Users button. The Users page indicates that no users are currently assigned to the policy. If you have defined multiple user directories, select the directory in the list box that you want to add users from, and then click the Add/Remove button.
2. Now you see a list of User Groups and a entry field. To add individual users enter the name in the entry field and click Add. To add groups select the group(s) and click Add. For our example, let's assume all the MARS developer's are in a MARS group which you add to the policy. Now all members of this group can access the resources that are members of the MARS policy.
3. Now do the same for the VENUS directory.

Okay now each group of users has access to the resources which are members of that policy. If a user is a member of both policies then she has access to the members of both policies.

Enable ColdFusion Studio Security

The last step is to actually enable Studio Security in the Administrator so that users trying to access ColdFusion Server resources from Studio will be properly authenticated before access is granted.

To enable ColdFusion Studio security:

1. On the Advanced Security page click the "Use ColdFusion Studio Authentication" checkbox
2. Select the RDSService security context in the list box.
3. Select the "Use Security Server Cache" check box on the Advanced Server Security page to improve the performance of the authentication process.

Now when a user authenticates from ColdFusion Studio to this RDS host the users will only see the data sources and files that they are authorized to see. If they are not a member of either group they will not see any data sources or files.

The first time Studio users open the files or data sources, performance will seem slow, depending on how many data sources and files/directories must be checked. However if security server caching is enabled, response will be much quicker the next time remote files or data sources are checked.

Copyright © 2001, Macromedia Inc. All rights reserved.

---