2.5 Restricting Access Rights of Users Outside the Firewall

Vibe enables you to restrict what information users can access when they are outside your corporate firewall.

If your Vibe site contains sensitive data, and users access the site from non-secure locations, you might want to consider restricting users to certain workspaces and folders when they are not accessing Vibe from inside the corporate firewall.

For example, a user accessing the Vibe system from a public kiosk increases the risk of sensitive data being inappropriately exposed.

To restrict access for users who are outside the corporate firewall, you must create a condition that contains one or more IP addresses (or range of IP addresses), associate this condition with an existing role, then assign the role to users and groups in the workspaces, folders, or entries where you want to allow access.

2.5.1 Creating a New Role Condition

  1. Log in to the Vibe site as the Vibe administrator.

  2. Click the Administration icon in the upper right corner of the page.

    The Administration page is displayed.

  3. Under System, click Configure Role Definitions.

  4. Click the Define Role Conditions tab.

  5. Click Add a New IP Address Condition.

  6. Provide the following information for the new condition:

    Title: Specify a title for the condition.

    Description: Specify a description for the role condition.

    IP Address: Specify the IP address that you want to associate with this condition.

    You can mask your IP address by using asterisks. For example, 155.5.*.*

    Allow: Select this option to allow access from the specified IP address. There must be at least one IP Address field with Allow selected.

    Deny: Select this option to deny access from the specified IP address. Select this option only if you have multiple IP Address fields, and one of these fields has Allow selected.

    If you are masking an IP address, such as 155.5.*.*, you can exclude an IP address within the range that you are masking. For example, in the first IP Addresses field you specify 155.5.*.*, then select Allow. You then add a second IP Address field by clicking Add Another IP Address, then specifying an IP address that is within the range of your masked IP address. In your second IP Address field, you specify 155.5.4.*, then select Deny. This denies access to users who are using an IP address within the range 155.5.4.*, but allows access to users using any other IP address within the range 155.5.*.*.

  7. (Optional) Click Add Another IP Address to associate multiple IP addresses with this condition. You can also add multiple IP addresses if you want to deny access to a specific IP address that is included within a range of IP addresses that you are allowing.

  8. Click Add.

  9. Continue with Section 2.5.2, Associating the Role Condition with a New or Existing Role.

2.5.2 Associating the Role Condition with a New or Existing Role

You must associate the role condition that you created in Section 2.5.1, Creating a New Role Condition with a new or existing role.

  1. Log in to the Vibe site as the Vibe administrator.

  2. Click the Administration icon in the upper right corner of the page.

    The Administration page is displayed.

  3. Under System, click Configure Role Definitions.

  4. On the Configure Role Definitions tab, click Add a New Role.

    or

    Click an existing role in the Currently Defined Roles section.

    For more information about managing roles, see Section 2.4, Managing Roles to Refine Access Control.

  5. In the Role Conditions drop-down list, select the role condition that you want to associate to the role.

  6. Click Apply.

  7. Continue with Section 2.5.3, Assigning the Role Condition to Users and Groups.

2.5.3 Assigning the Role Condition to Users and Groups

After you have completed Section 2.5.1, Creating a New Role Condition and Section 2.5.2, Associating the Role Condition with a New or Existing Role, you need to assign the role that contains the new role condition to users and groups. You accomplish this in one of two ways, depending on whether you associated the role condition to a new role or an existing role (as described in Section 2.5.2, Associating the Role Condition with a New or Existing Role):

Assigning the New Role to Users and Groups

To assign the role that contains the new role condition to users and groups:

  1. Add the role to the Access Control table for the workspaces, folders, or entries where you want to grant users access rights, as described in Controlling Access to Workspaces and Folders in the Novell Vibe OnPrem 3.1 Advanced User Guide.

  2. Assign the roles to the users and groups who you want to be granted access rights, as described in Controlling Access to Workspaces and Folders in the Novell Vibe OnPrem 3.1 Advanced User Guide.

Assigning an Existing Role to Users and Groups

If you associated the role condition with an existing role, the role is automatically applied to users and groups in workspaces, folder, and entries where this role is already assigned.

2.5.4 Example

The following example shows how to restrict access to users outside the firewall by using role conditions:

  1. Set up a proxy server (such as Novell Access Manager) that is external to the firewall.

  2. Define a role condition that includes only a range of IP addresses that are internal to the firewall.

  3. Associate this role condition to all or some existing Vibe roles.

    If you associate this role condition to all roles except the Workspace and Folder Administrator role, only users who are workspace and folder administrators are able to access workspaces and folders from outside the firewall. Users who are not workspace and folder administrators do not have access.