Access Control Policies
An Access Control Policy (ACP) determines which users are granted access a service. An ACP is comprised of access control rules, of which there are three types; Identity Rules, Source IP Rules, and CORS Origin Rules.
Identity Rules
An identity rule grants access to a specific user or group. An ACP may contain zero or more identity rules. If no identity rules are defined, access is granted to all uses – so called 'anonymous access'. If more than one identity rule is defined, the rules are logically OR-ed (for example, to allow access to a user who is a member of group Accounting OR group Engineering OR is user Operator). This is one special identity rule that can be defined: user "Any authenticated user", which means access is granted to any user that supplies a valid user name and password. 'Any authenticated user' is different from 'anonymous access' in that in the latter case, no user name or password is required.
Source IP Rules
A source IP address rule grants access to applications running on devices with specified IP addresses. An ACP may contain zero or more source IP address rules. In no source IP address rules are defined, access is granted to all source IP addresses. If more than one source IP address rule is defined, the rules are logically OR-ed. A source IP address can be a complete IP address (192.168.168.168, for example) or a range of address in CIDR notation (e.g. 172.168.168.0/24).
The set of identity rules and source IP address rules are logically AND-ed to determine access under the policy. So, given an ACP with the rules ( group Accounting OR group Engineering OR user Operator ) AND ( source IP 192.168.168.168 OR source IP 10.1.0.0/16 ), user 'jsmith', who happens to be a member of the Accounting group, will be denied access if his application is running on a device with IP address 172.100.0.96, but allowed access if running on a device with IP address 10.1.224.17.
CORS Origin Rules
Cross Origin Resource Sharing (CORS) rules provide a means to restrict browser cross origin requests to a specific origin or origins. Origins are specified in the format specified by the CORS standard. For more information see the CORS specification or learn more about CORS.
Creating an Access Control Policy
Access Control Policies are managed through the LightWave Server Console.
To create a new Access Control Policy:
- Select "Access Control" from the menu.
- Click the '+' icon to add a new policy.
- Enter a name and description.
- Add identity source IP address, or CORS rules by clicking the '+' icon on their respective toolbars.
- Save the policy.
- Changes to policies are effective immediately.