Controlling access to your server

his chapter describes how you can control access to your server. This chapter describes how to:

• Determine you access control requirements

• Understand authentication and access control

• Choose a server model

• Define your tasks and complete those tasks to implement your access control model

If you decide that you do not require access control, you can turn access control off. All users can read discussion groups and post to discussion groups. But only you, the administrator, can manage discussion groups.

Determining your access control requirements

• What type of information will be stored on your server?

• How critical is the privacy of this information to your organization?

• Who requires access to this information? Who does not?

• Will some information be private while other information will be public?

• Will you be sharing information with people outside of your company or organization?

Understanding authentication and access control

Note: You can also limit access to your server or to particular discussion groups on your server by limiting host connections. If you only restrict access by host connections, user authentication is not required. See "Limiting host connections" for more information about limiting host access to your server. See "Controlling access to a discussion group" for more information about limiting host access to a discussion group on your server.

Methods of authentication

• Authentication by basic login requires the user to specify a user name and password. The user name and password are stored in the directory service. Keep in mind that a user can lose, or share, this user name and password. Any user with access to a valid user name and password can log on to your server from any machine (as long as the access control rule does not limit host connections).

• Authentication by certificate provides stricter access control. Only machines with a valid certificate can access your server. Authentication by certificate is available on secure servers only. For more information, see Chapter 6, "Understanding security."

• On your entire server

• On your entire server and on certain discussion groups that reside on your server

• Only on certain discussion groups that reside on your server

Server-level access control. For access control on the entire server, you can require that all users authenticate when they first connect to your server (Access Control|Access Control Options). You can specify further access control on discussion groups by defining access control rules for the discussion group. For more information about access control rules, see Chapter 4, "Controlling access to a discussion group."

Discussion-level access control. For access control on parts of the server only (for example, if only certain discussion groups contain sensitive material), you might not require server authentication, but you would require discussion group authentication. Users are not asked to login until they try to access a discussion group that requires authentication.

Choosing a server model

• Public server

• Private server

• Host-restricted server

• Semi-public server

Private servers

This type of server is useful, for example, as a private company server with field personnel who must connect from remote sites.

Host-restricted servers

Host restriction is the most popular way that Usenet servers are set up to provide more responsible Usenet access to a company, college campus, Internet Service Provider (ISP) customer base, and so on.

Semi-public servers

Defining your tasks

• Enabling access control (By default, access control is on. You only need to enable it if it has been turned off for some reason.)

• Defining the users and user groups who will access your server

• Defining and managing the roles that determine the type of access a user has to a particular discussion group or discussion group hierarchy

• Controlling user access to discussion groups by specifying access control rules (rules map users and user roles to particular discussion groups)

• Delegating discussion group management tasks if appropriate

• Educating your managers about user roles

1. Choose Access Control|Access Control Options.

2. Click the Access Control on button.

3. If you want to require authentication when a user first connects, click the checkbox.

   Authentication on first connect requires that all users must authenticate when they first connect to the server. Authentication on first connect provides added security for your server.

4. If you are running an SSL-enabled server, you must specify one of the following authentication methods by clicking the associated button:
   • Use Basic username/password

   • Use Client certificate

   Note: If you are not running an SSL-enabled server, the only authentication method available is basic user name and password authentication. If you try to select another method, you will get an error message. If you want more information about running an SSL-enabled server, see Chapter 6, "Understanding security."

5. If you want to control access by restricting host connections, click the checkbox Enable host connection control and type the hosts for which you will accept connections. See "Limiting host connections" for more information.

6. If you do not want to resolve IP addresses into hostnames for access control, click the checkbox.

   By clicking this checkbox, you will improve authentication performance. Be aware, however, that 1) you will see only IP addresses in your server reports, and 2) you cannot refer to hostnames when filling out forms, specifying search criteria, and so on.

7. Click OK.

8. Restart your Collabra Server.

Note: When the server is installed, access control is on by default and anyone can read and post to the server. You might want to change the default access rule or grant other roles to users. The easiest way to grant roles to users is by creating user groups and granting roles to the user groups. See "Managing users and user groups" for more information.

Limiting host connections

Limiting host connections is especially useful for granting access to users who are external to your organization's internal network. You can grant access to specific host machines without having to create special user groups for the external organization.

You can also limit host connections within your organization. For example, if you want only members of the Human Resources organization to access certain discussion groups, you can grant access only to the host machines in the Human Resources department; you do not have to create a special user group.

To control host connections to your server:

1. Choose Access Control|Access Control Options.

2. Click the checkbox for Enable host connection control.

3. In the Accept connections from field, type the hosts for which you will accept connections.
   • You can specify hostnames or IP addresses.

   • You can specify all clients by typing an asterisk (*).

   • You can use an asterisk (*) to specify domains, such as *.xyz.com or 123.456.789.*.

   • You can use the exclamation mark (!) to deny access. For example, you can specify no clients by typing !*. You can deny access to host1 by typing !host1.

   Note: If you have specified not to resolve hostnames into IP addresses, you cannot specify a hostname in the Accept connections field; you must specify an IP address. See "Enabling access control" for more information.

4. Click OK.

Managing users and user groups

You manage users and user groups through the administration server interface. From the Netscape Server Administration form, click Users & Groups. For more information, see the administration server online documentation or the printed manual, Managing Netscape Servers.

If you are managing a large number of users, you should create user groups. You can then specify discussion group access to all members of the user group. For example, assume you have the following user groups:

User group	Definition
employees	All employees in your organization
clienteng	All employees in the client development group
servereng	All employees in the server development group

To the employees group, you can grant full access rights to the royal.rec.* discussion group, but deny the group access to the royal.dev.* discussion group.

To the clienteng and servereng groups, you can grant full access rights to the royal.dev.* discussion group.

To manage users and user groups, you perform the following tasks:

• Create users and user groups

• Edit users and user groups

• Remove users and user groups

• List users and user groups

As the server administrator, you are responsible for managing and defining roles. You can choose from a set of predefined roles or you can create new roles and associate permissions with the new role.

By assigning roles to users, you can control access to discussion groups and delegate administration tasks for those groups. For example, you might create the top-level discussion groups that will be used widely throughout your organization. You might choose to delegate, however, management of some of the lower-level discussion groups within your organization.

This section provides information about:

• Viewing currently defined roles

• Defining a new role

• Permissions

• Predefined roles

1. Choose Access Control|Manage Roles.

2. To view the associated permissions, scroll through the associated scroll-down menus.

1. Choose Access Control|Manage Roles.

2. Scroll to Add new Role.

3. In the Role name field, type the name of the role.

4. From the list of permissions, highlight the permissions you want the role to provide. For more information about the permissions, see Table 3.2.

5. Click OK. The role appears in the Currently defined Roles list.

Note: There is no easy way to delete a role, so be careful not to create roles you do not want.

Updating an existing role

1. Choose Access Control|Manage Roles.

2. For the currently defined role you wish to update, highlight the permissions you want the role to provide. For more information about the permissions, see Table 3.2.

3. Click OK to update the role.

Understanding permissions

Understanding the predefined roles

Manager

Daphne can see this entire discussion group hierarchy, manage access of the hierarchy, and delegate administrative tasks associated with other discussion groups within the hierarchy. The tasks associated with the manager role are more thoroughly described in Chapter 4, "Managing discussion groups."

Poster

Reader

Specifying access control rules

You specify access control rules by choosing Discussion Groups|Manage Discussion Groups. For more information, see "Controlling access to a discussion group" in Chapter 4.

Delegating discussion group management tasks

From Netscape Communicator, users with appropriate roles can access the discussion group management functions available in the Collabra Server. (The other administrative forms are not accessible to end users unless end users are granted access via the administration server interface. For more information, see the online documentation for the administration server or the printed manual, Managing Netscape Servers.)

Thus, users can set up and administer discussion groups as desired. For example, a customer-service employee who provides ongoing support to a customer via email might create a discussion group. In this group, the customer-service employee, the customer, and the product development engineers can converse with one another directly to solve problems more efficiently and quickly.

By delegating discussion group management tasks, such as managing and moderating certain discussion groups, you can focus more on system administration tasks, such as:

• Configuration and maintenance

• System security

• Replication of discussion groups

• Load balancing and system tuning

Disabling access control

1. Choose Access Control|Access Control Options.

2. Click the Access Control off button.

3. Click OK.

4. Restart your Collabra Server.

After access control is disabled, be aware that:

• All users can access all discussion groups

• Only the Collabra Server administrator can access the manager interface

• Any access control rules remain defined, but are no longer enforced

• The server does not check the authenticity of cancel messages

• The Netscape Directory Server, an LDAP-compliant directory service

• The local directory service that comes bundled with the administration server

The Collabra Server is compatible with other LDAP-compliant directory servers also.

You should choose your directory service before you install your Collabra Server. For more information, see the Collabra Server Installation Guide for your platform.