Defining User Access to the Gateway
The access control feature lets you control inbound and outbound messages through the Async Gateway. You can specify which GroupWise users can send messages through the gateway. You can also specify which GroupWise users can receive messages through the gateway and from which addresses. You can control the size of messages allowed through the gateway and also control rule-generated messages.
Access control can be implemented on a minimal user-by-user basis through the Gateway Access field on the User Information page of each User object in ConsoleOne. To fully implement access control, you must use the configuration file called access.cfg.
Using the Access Control File (access.cfg)
The access.cfg file is an ASCII text file you can edit with a standard text editor. It is located in the gateway home directory.
- Access Control
- Access Control Headers
- Access Control Keywords
- Syntax Conventions in the Access.cfg File
- Sample Configuration File
Access Control
The access.cfg file contains one access control statement. The statement is used to turn access control on or off.
Syntax: access control = on |off
There should only be one access control statement in the file. If the file includes multiple statements, the last statement is used.
Access Control Headers
The access control header specifies the group of users that the access control settings (keywords) will apply to. In addition, the header specifies the direction (inbound or outbound) for which the settings apply. There are three possible headers:
[Domain.po:direction]
The Domain.po header specifies the GroupWise post office to which you are applying the access control settings. Only users in the specified post office are affected by the settings.
Direction determines in which direction the settings are valid. The two possible directions are In and Out. In specifies messages coming into the GroupWise system through the Async Gateway and Out specifies messages sent out from the GroupWise system through the Async Gateway. If no direction is specified, Out is the default.
Example: [corporate.accounting:out]
In the example, all settings under this header apply to users in the ACCOUNTING post office who send mail to users on the other side of the Async Gateway.
[Default:direction]
The Default header specifies the default access control settings for GroupWise users who are not covered by one of the other headers.
Direction determines in which direction the settings are valid. The two possible directions are In and Out. In specifies messages coming in to the GroupWise system through the Async Gateway and Out specifies messages sent out from the GroupWise system through the Async Gateway. If no direction is specified, Out is the default.
In the example, all settings under this header apply to users who are receiving mail from Async users and who are not covered by another header.
[Accessgroup:name]
The Accessgroup:name header defines the name of an access control group. Any settings under this header apply to users with the same access group name specified in the Gateway Access field on the GroupWise Account page of their User objects in ConsoleOne. This header enables you to apply access control settings to a single user or multiple users.
After you've created an access group header in the access.cfg file, you need to modify the Gateway Access field on User objects in ConsoleOne to assign users to the access group. For information, see Using the Gateway Access Field.
This header is not associated with GroupWise personal groups or public distribution lists. If you have a GroupWise distribution list called Managers and want access control to be applied to the entire group, you must edit the user information for each member of the distribution list in the Gateway Access field of each User object.
Access Control Keywords
Keywords are used to apply access control settings to the users specified by the header. The following keywords are available:
ALLACCESS
The ALLACCESS keyword allows the users unrestricted access to the Async Gateway. Anyone can send and receive messages. This is how the gateway operated before the access control feature was added. If access is denied for inbound messages, the Gateway does not send an Undelivered message. This can be avoided in a domain-to-domain connection by setting access control on the gateway sending messages to the Out direction.
Example: [Corporate.Accounting:in] allaccess
In this example, all users on the Accounting post office under the Corporate domain can receive inbound messages.
NOACCESS
The NOACCESS keyword restricts users from accessing the Async Gateway. No one can send or receive any messages through the gateway, depending on the direction specified in the header.
Example: [default:in] noaccess
In this example, by default, users cannot receive mail through the gateway. Users can send messages through the gateway.
BLOCK
The BLOCK keyword blocks the message when the foreign address matches gwaddresstext. This keyword differs from NOACCESS because a specific remote or domain profile name can be specified. If users try to send messages to an address which has been blocked, they receive an Undeliverable message from the gateway.
Example: [default:out] remote_profile_name or domain_profile_name
In this example, all users are prevented from sending messages to the remote or domain profile name.
Example: [Headquarters:in] primary
In this example, any user in the GroupWise Headquarters domain is prevented from receiving a message from primary domain.
ALLOW
The ALLOW keyword is the opposite of BLOCK. The gateway delivers the message only if the message's recipient matches gwaddresstext. This keyword is useful if you've blocked an entire domain, but you want to allow specific users in that domain to send or receive messages through the Async Gateway.
Example: [Headquarters.in] allow remote_profile_name or domain_profile_name
In this example, any user in the Headquarters domain is allowed to receive messages sent from the remote or domain profile name.
Example: [Headquarters.out] allow primary
In this example, the default is set to allow all GroupWise users to send mail to the primary domain.
When you use the ALLOW keyword, it functions as an exclusive ALLOW and restricts the users to only those that are specifically allowed access, unless a previous setting has provided for more access.
MAXSIZE
The MAXSIZE keyword determines the maximum size message, including attachments, that the gateway transfers. MAXSIZE is specified in bytes (1000=1000 bytes), with a range from 0 to 2147483647.
Example: [default:in] maxsize = 10000
In this example, all GroupWise users can receive messages that are less than 10000 bytes.
ALLOWRULEGENERATED
The ALLOWRULEGENERATED keyword determines whether or not rule-generated messages are allowed through the gateway. You could use this keyword to control rule-generated message replies such as "On Vacation" from passing through the Async Gateway. Unlike NOACCESS and BLOCK, the gateway does not generate an Undeliverable status for rule-generated messages that are not delivered. Instead, the message remains pending in the sender's mailbox. This keyword applies only to outbound messages.
Example: [default:out] allowrulegenerated = no
In this example, no GroupWise messages that have been generated by a rule are sent through the gateway.
Example: [Marketing.Secretaries:out] allowrulegenerated = yes
In this example, rule-generated messages created by users in the Marketing domain and the Secretaries post office are allowed to pass through the gateway.
Syntax Conventions in the Access.cfg File
Headers: Headers are enclosed in square brackets ([ ]). The header applies to all keywords after the one header and before the next header. See Access Control Headers.
Semicolon (;), Slash (/), Pound sign (#): These characters can be used as comment or remark lines in the file. Any text following a semicolon, slash, or pound sign is ignored.
Gwaddresstext: Replace this field with the GroupWise address you want to use, such as Novell.Sales.Glen, where Novell.Sales.Glen is the GroupWise proxy address of the GroupWise user.
Sample Configuration File
;access control = on
;Heading for the default outbound settings. Remember that a semicolon
;is a remark and is ignored by the gateway;
;maxsize = 3000
;[default:out]
;allowrulegenerated = no
;block primary
;allow remote profile name
[Corporate:out]
allaccess
maxsize = 10000
[Corporate.Accounting:in]
maxsize = 200000
;name "Executives" to be used in Gateway Access field of a user
[accessgroup:Executives]
allaccess
Applying Access Control Settings to Individual Users
Access control settings can be applied to individual users in two ways:
Using the Access.cfg file
You can use the [Accessgroup:name] in the access.cfg file to control access settings for individual users. For the name, you can enter any identifier you choose, such as [ACCESSGROUP:CONTROL]. In the example below, the name is control. Under this header, include the keywords you want to apply to the given users.
Sample Configuration File
access control = on
[accessgroup:control]
maxsize = 100000
allowrulegenerated = no
allow domain profile name
block remote profile name
For the access group named control, this example access.cfg file limits the size of messages allowed to pass through the gateway to 100000 bytes. Messages created by rules are not sent through the gateway. Messages to or from users in the domain profile name pass through the gateway. Messages to or from users in the remote profile name cannot pass through the gateway.The example access.cfg file becomes effective only when the word "control" is placed in a user's Gateway Access field along with a gateway alias type and an optional direction. For information on how to set this field, see Access Control Headers.
Using the Gateway Access Field
You can also apply access control to specific users is through the Gateway Access field on the User Information page of each User object ConsoleOne. This is done in nearly the same way as using ACCESSGROUP names. The difference is that you use the gateway name followed by the specific keyword you require.
To assign the access control settings to users:
-
Browse to and right-click a User object, then click Properties.
-
Click GroupWise > Account.
-
In the Gateway Access field, assign a name to the user.
Use the following syntax: gateway_alias_type.direction
IMPORTANT: The BLOCK and ALLOW keywords cannot be used in the Gateway Access field. To use these keywords, use an ACCESSGROUP name in the access.cfg file.