76.2 Managing User Access

76.2.1 Setting the Timeout Interval for Inactive WebAccess Sessions

Users are eventually logged out of GroupWise WebAccess if they have not performed any actions that generate requests. Actions such as opening or sending a message generate requests. Other actions, such as scrolling through the Item List, composing a mail message without sending it, and reading Help topics, do not generate requests.

The timeout interval depends on whether the user selects This is a public or shared computer or This is a private computer in the Login window. On a private computer in a secure location, the default WebAccess timeout is 480 minutes (8 hours), which is convenient for day-long use. On a public or shared computer, the default timeout is 20 minutes, which protects your personal data. The timeout interval provides security for GroupWise WebAccess users who forget to log out. It also helps the performance of the web server by freeing the resources dedicated to that user’s connection.

The WebAccess Application on the web server controls the timeout. At the time the user is logged out, the WebAccess Application saves the user’s current session to a folder on the web server, where it is stored for 24 hours. If the logged-out user attempts to continue the session, he or she is prompted to log in again, after which the WebAccess Application renews the session. For example, suppose a user is composing a message when the timeout interval expires and then attempts to send the message. The user is prompted to log in again, after which the message is sent. No information is lost.

To adjust the timeout interval:

  1. Open the webacc.cfg file in a text editor.

  2. To change the timeout interval for use on a public or shared computer, search to find the following line:

    Security.timeout=20
    
  3. Change the default of 20 to the number of minutes that you prefer for the public/shared timeout interval.

  4. To change the timeout interval for use on a private computer, search to find the following line:

    Security.Private.timeout=480
    
  5. Change the default of 480 to the number of minutes that you prefer for the private timeout interval.

  6. Save the webacc.cfg file.

  7. Skip to Section 76.1.7, Putting WebAccess Configuration Changes into Effect.

The timeout interval applies to all users who log in through the web server where the WebAccess Application is running. You cannot set individual user timeout intervals. However, if you have multiple web servers, you can set different timeout intervals for the web servers by completing the above steps for each server’s WebAccess Application.

76.2.2 Customizing Auto-Save Functionality

By default, GroupWise WebAccess automatically saves users’ work on a regular basis, so that if a problem with a web server occurs or the user times out, their work is not lost. For details about the Auto-Save feature, see Saving Unfinished Email in the GroupWise 2014 R2 WebAccess User Guide.

Increasing the settings so that users’ work is saved less frequently reduces the load on the web server but increases the amount of work that users could potentially lose. Reducing the settings so that users’ work is saved more frequently increases the load on the web server, but reduces the amount of work that users could potentially lose.

To adjust the Auto-Save intervals:

  1. Open the webacc.cfg file in a text editor.

  2. Search to find the Auto Save section.

  3. For the Autosave.NonUse.timer setting, increase or decrease the number of seconds after which the content is saved if there have been no modifications since the last save.

    The default non-use interval is 10 seconds. Specify 0 (zero) to turn off this functionality.

  4. For the Autosave.Use.timer setting, increase or decrease the number of seconds after which the content is saved even when users are actively composing content.

    The default is 60 seconds. Specify 0 (zero) to turn off this functionality.

  5. Save the webacc.cfg file.

  6. Skip to Section 76.1.7, Putting WebAccess Configuration Changes into Effect.

76.2.3 Preventing Users from Changing Their GroupWise Passwords in WebAccess

By default, users are allowed to change their GroupWise passwords in WebAccess. You can prevent them from doing so if you prefer that users change their passwords in some other way, for example if you are using an LDAP directory for authentication.

To adjust password security:

  1. Open the webacc.cfg file in a text editor.

  2. Search to find the following line:

    User.Access.security
    
  3. Change true to false.

  4. Save the webacc.cfg file.

  5. Skip to Section 76.1.7, Putting WebAccess Configuration Changes into Effect.

76.2.4 Helping Users Who Forget Their GroupWise Passwords

The GroupWise WebAccess Login page provides a Can’t log in link for users to click when they have forgotten their GroupWise passwords. By default, the link displays the following file:

/var/opt/novell/tomcat5/webapps/gw/webaccess/yyyymmddnnnn/images/helpdesk.htm

The variable yyyymmddnnnn represents the year, month, day, and build number of the WebAccess software that you have installed.

You can use your HTML editor of choice to customize the contents of this file. For example, you might want to include the email address of the local GroupWise administrator who handles password issues, or perhaps the URL of your company’s Help Desk web page.

As an alternative, you can configure the WebAccess Application to display any URL of your choosing.

  1. Open the webacc.cfg file in a text editor.

  2. Search to find the following line:

    #Helpdesk.url=http://www.novell.com/helpdesk.html
    
  3. Remove the pound sign (#) to activate the setting.

  4. Replace the sample URL with wherever you want users to be directed when they have forgotten their GroupWise passwords.

  5. Save the webacc.cfg file.

  6. Skip to Section 76.1.7, Putting WebAccess Configuration Changes into Effect.

76.2.5 Controlling WebAccess Usage

You can control which users can use WebAccess to access their GroupWise mailboxes. By default, all GroupWise users can use WebAccess.

You can control access based on the domain or post office where the user’s mailbox is located. You can control access for related users based on groups, and you can control access for individual users.

Access control is established through the gwac.xml file, located in the same folder with the webacc.cfg file.

The default gwac.xml file illustrates the following options:

<!-- To allow access to all EXCEPT a few, use this technique. -->
<!--
<gwac access="prevent">
  <domain name="domain1" />
  <postOffice name="po2.domain2" />
  <user name="jdoe.po3.domain3" />
  <distributionList name="helpdesk.po4.domain4" />
  <resource name="confroom.po4.domain4" />
</gwac>
-->

<!-- To prevent access to all EXCEPT a few, use this technique -->
<!--
 <gwac access="allow">
  <domain name="domain1" />
  <postOffice name="po2.domain2" />
  <user name="jdoe.po3.domain3" />
  <distributionList name="helpdesk.po4.domain4" />
  <resource name="confroom.po4.domain4" />
</gwac>
-->

You can use any ASCII text editor that you prefer to edit the gwac.xml file.

  1. Open the gwac.xml file in a text editor.

    Typically, you use the gwac.xml file to override the default of allowing all users to use WebAccess.

  2. Remove the comment marker lines (<!-- and -->) around the section that you want to use.

  3. (Optional) Under the <gwac access="prevent"> line, create one or more lines to prevent users in one or more domains from using WebAccess, for example:

    <domain name="provo5"/>
    <domain name="provo6"/>
    
  4. (Optional) Create one or more lines to prevent users in one or more post offices from using WebAccess, for example:

    <postOffice name="interns.provo1"/>
    <postOffice name="temps.provo1"/>
    

    Specify the post office in post_office.domain format.

  5. (Optional) Create one or more lines to prevent users in one or more groups from using WebAccess, for example:

    <distributionList name="webaccessdenied.admin.provo1"/>
    

    Specify the group in group.post_office.domain format.

    Using one or more groups is the most flexible approach to access control for WebAccess. The group belongs to a specific post office (for example, the one you belong to), but it can include GroupWise users located anywhere in your GroupWise system. By using a group, you can easily modify access control for specific users by modifying the group in the GroupWise Admin console, rather than needed to modify the gwac.xml file whenever access control changes are needed. For more information about groups, see Section 56.0, Creating and Managing Groups.

  6. (Optional) Create one or more lines to prevent specific users from using WebAccess, for example:

    <user name="sjones.interns.provo1"/>
    <user name="gbock.interns.provo1"/>
    
  7. (Conditional) If you want to prevent most users and allow only specified users, use a <gwac access="allow"> line instead of a <gwac access="prevent"> line.

  8. Save the gwac.xml file.

  9. Skip to Section 76.1.7, Putting WebAccess Configuration Changes into Effect.