How Access Control Works

This section provides more information about configuring access rules, how to build access control lists, and presents several examples. It contains the following subsections:

• Configuring Access Rules
• Building an Access Control List
• Access Rule Sequence

Configuring Access Rules

Novell BorderManager 3.7 allows you to configure each access rule as either an Allow rule or a Deny rule. Allow rules allow a request to be fulfilled; Deny rules deny the request. You can take two different approaches when you set up your Novell BorderManager 3.7 access control scheme, as follows:

• In a tightly controlled environment, you might want to configure only Allow rules. If a user's access request fails to match any of the access rules in an entire access control list composed only of Allow rules, it will be denied by Novell BorderManager 3.7's default action (deny).
• In a loosely controlled environment, you might want to configure only Deny rules with an Allow Any rule at the end of the access control list. If a user's access request fails to match any of the Deny rules in the access control list, it will be allowed by the last Allow Any rule.

Building an Access Control List

As stated previously, Novell BorderManager 3.7 adds together all the individual access rule lists defined at all the different levels of the NDS or eDirectory tree in your network, starting from the Server object, continuing through the container holding the Server object, and concluding at the root of the eDirectory tree.

Within this consolidated list, rule lists defined at the Server object are placed at the beginning; rule lists defined at the root are placed at the end. In other words, rules defined closer to the user are placed closer to the top of the server's access control list. This combined list is the access control list for the Novell BorderManager 3.7 server; and it is applied to every access request received by the server.

Access Rule Sequence

Novell BorderManager 3.7 uses the sequence of access rules in the access control list to determine which rule takes precedence. A rule closer to the top of the list always takes precedence over any rule that follows it in the list. The first rule that matches the access request is the rule that is applied to the access request. If you mix conflicting Allow and Deny rules in an access control list, then you must ensure that the sequence of rules in the list produces the desired effect.

Each time a user makes an access request, such as when a Novell IP Gateway, Proxy Services, or VPN user initiates a request to access a particular service or destination, Novell BorderManager 3.7 checks the server's access control list. It searches the list until it finds the first access rule that applies to the requesting object, then it acts immediately on the rule to allow or deny the request. Intelligent sequencing is essential when you create access control rules because Novell BorderManager 3.7 searches for the first applicable rule in the server's access control list. It does not search for any potentially applicable rules after that.

Access Rule Example

In this example, your company president wants a rule that keeps company employees from accessing the World Wide Web (WWW) during work hours. You can accomplish this blanket policy with one general access rule at the root of the tree that contains your Novell BorderManager 3.7 server.

If the vice president of Marketing insists that his people must have access to the Web to perform their jobs effectively, you can satisfy his request with a second rule that you create for the Marketing user group or for specific users within that group.

This approach is one way to implement access rules on your Novell BorderManager 3.7 server. You use general rules placed higher in the eDirectory tree for far-reaching policies that you want to effect, such as keeping employees from accessing the Web during work hours. You use specific rules placed lower in the NDS or eDirectory tree for more specific cases or exceptions, such as allowing the Marketing group to have access to the Web during business hours.

When two rules conflict with each other (Deny everyone Web access during business hours and Allow members of the Marketing department to access the Web during business hours), the rule closer to the beginning of the server's access control list takes precedence. When no rule is found, the request is denied because the server's default action in the absence of a specific rule to the contrary is always Deny.

Detailed Access Control Example

In this example, the administrator for XCom Communications creates the following rules on the XCom Novell BorderManager 3.7 server.

An analysis of the preceding access rules raises the question of whether the administrator really needs to configure the three Deny rules. Novell BorderManager 3.7 will automatically deny the user's access request when it reaches the end of the access control list if the request does not match any rule in the list. The answer is it depends on what the administrator wants to accomplish.

An examination of rule 4, which denies any users in the xcom.com group access to www.yadda.com, and rule 8, which allows any user in xcom.com to access any destination, reveals that rule 4 (deny) is necessary.

Rule 7 denies user access to any Web pages inside the innerweb.xcom.com/prv directory after rules 5 and 6 allow the Finance group and Human Resources group to access their own Web directories.

However, rule 2 allows any user in xcom.com to access innerweb.xcom.com, which allows access to the pages inside the innerweb.xcom.com/prv directory. Rule 3 allows any user in the exec.xcom.com group to access any destination, which also allows access to pages inside the innerweb.xcom.com/prv directory.

If the administrator does not want users in the xcom.com group to access the innerweb.xcom.com/prv area, then rule 2 should be moved after rule 7 (deny). However, if the administrator wants users in the exec.xcom.com group to have access to the innerweb.xcom.com/prv directory, then rule 7 is not needed.

On examination, rule 8 allows any user in xcom.com to access any destination, which also allows any user to access the host, innerweb.xcom.com. This makes rule 2 unnecessary. The administrator can also delete rule 9 because, by default, Novell BorderManager 3.7 automatically denies user access requests at the end of the access control list when the request does not match any specific rule in the list.

The final access control list looks like the following:

An analysis of the preceding access control list reveals that any user in xcom.com can access any destination (rule 7), except the www.yadda.com and innerweb.xcom.com/prv directories (rule 3 and rule 6).

Now consider the following requests:

• Can Amy Brentman of the XCom Finance department use HTTP to connect to www.yadda.com, the Web site of Yadda Communications (formerly YCom Communications) and the current rival of XCom Communications?

  If Amy made this request, the access rules would work as follows:

  • Rules 1 and 2 do not apply to Amy's request.
  • Rule 3, however, says that all XCom employees in all XCom departments are denied HTTP requests to the Web site of rival Yadda Communications.
  • Rule 7 does allow all XCom employees in all XCom departments to use HTTP to connect with any location, but Novell BorderManager 3.7 already acted on rule 3, the first rule in the access control list that matched the request.

  The answer is No, Amy cannot access www.yadda.com.

• Jose Lira works in the Human Resources department of XCom Communications (hr.xcom.com). Can Jose use FTP to copy files from innerweb.xcom.com/prv/hr?

  The access rules would work as follows:

  • The user request is denied because it does not match any rule in the access control list (FTP is not specified in rules 1 through 7).
  • However, rule 5 does allow Human Resources (hr) employees like Jose to use HTTP to connect to innerweb.xcom.com/prv/hr.

  Jose can access the site but not he cannot use FTP to copy the files.

• P.V. Singh, President of XCom Communications, is a member of exec.xcom.com. Can P.V. use FTP to copy files from www.yadda.com?

  The access rules would work as follows:

  • Rule 2 allows P.V. to use FTP to copy files from www.yadda.com because it allows any member of exec.xcom.com to use any service to connect to any location.
  • Rule 3 denies any XCom employee access to www.yadda.com, but it does not apply because Novell BorderManager 3.7 has acted on rule 2.

  P.V. can use FTP to copy files from www.yadda.com.

• Roger Rockwell has been in charge of the XCom Shipping and Receiving department for years. This year, his department was added to the company's intranet. Roger is curious to see what kind of company Web locations are under innerweb.xcom.com/prv.
  • Rules 1 through 5 do not apply to Roger's request.
  • Rule 6 denies Roger's request because it denies all requests by XCom employees to innerweb.xcom.com/prv.

  Roger cannot see any location under innerweb.xcom.com/prv.

You can also specify periods of the day and days of the week when an access rule is to be in effect, and you can specify that you want all requests against an access rule to be logged.