Access to a Discussion Group

The process of controlling access to your discussion groups depends on your directory service. If you are using Novell Directory Services® (NDS®), refer to Setting Up Access Control Using NDS. If you are using LDAP or a local directory service, this section explains how to set up access control.

You configure access control for a discussion group by creating access control rules. An access control rule defines the rights a user, group, or host has to a particular discussion group. Each access rule determines

By default, two access control rules are created. The first rule grants the role of poster to anyone. The second rule grants the role of manager to the user ID that connects to the directory service.


Understanding How Access Control Works

To determine access control for a user, the News Server first checks the hostname in the first rule. If the hostname does not match, the server stops checking and the user is denied access.

If the hostname matches, the server then verifies that the user information matches the other information specified in the rule. The server recognizes the host either by its hostname or IP address, depending on what you specify in the Access Control Options form (from the News Server, click Access Control > Access Control Options).

If the user information matches, the server goes on to the second rule if the first rule is continued. When a rule is continued, the server continues to search for subsequent access control rules that correspond to the user. When a rule is absolute (not continued), the server grants the user the rights specified in the absolute rule.

A lower-level discussion group in a discussion group hierarchy inherits the access control rules for the main discussion group. So the server begins checking the user's access at the top level of the discussion group hierarchy. The server continues moving down the hierarchy until it detects an absolute rule. Every rule beneath the absolute rule inherits the access control of the absolute rule. The server keeps checking for the user's rights until it reaches the end of the list of rules.

You can specify new rules that override these inherited rules, even if a rule is absolute. You cannot modify the inherited rules, however, unless you have manager access to the higher-level discussion group.

IMPORTANT:  If you are denying access to lower-level discussion groups, grant yourself manager access before or you will deny yourself access to the discussion groups. If you deny yourself access, you'll need to contact your server administrator to fix the problem.


Understanding Access Control for a Virtual Discussion Group

Be aware of the following issues about access control for a virtual discussion group:

If another user has access to the virtual discussion group but not to one of the source discussion groups, the user cannot view the text of the article, but can view the headers, including the subject line, of the article.

For more information on virtual discussion groups, refer to Specifying Search Options.


Creating Access Control Rules

To create an access control rule, be sure that you have first enabled access control. For information on enabling access control, refer to Enabling Access Control.

  1. From the General Administration page, click the News Server server name button > Discussion Groups > Manage Discussion Groups > OK.

    2.

  2. Select the parent or root-level discussion group.

    3.

  3. Click Access Control Rules > New Rule.

    4.

  4. In the Users, Groups, or Hosts fields, type the user or group ID or hostname to which this rule applies.

    You must specify information in at least one of these fields. You can specify information in all of the fields.

    In the Users or Groups fields, separate multiple users or groups with commas. To specify access for all users in the directory, type all.

    In the Hosts field, you can specify a hostname or IP address, if IP address resolution is enabled. To specify all hosts, type an asterisk (*). If you do not type a hostname, an asterisk is entered.

    5.

  5. (Optional) Click Edit to create, modify, or delete multiple users or groups through the ACL User Group Finder.

    IMPORTANT:  If you click Anyone (No Authentication) on the Finder form, the user still might be denied access based on other settings, such as hostname or IP address.

    6.

  6. Click the Auth By drop-down list > select the type of authentication that will verify the user for the discussion group.

    • Default: Authentication determined in the Access Control Options form (from the News Server interface, click Access Control > Access Control Options).
      •

    • Certs: Authentication determined by a valid user certificate. If users have a valid user certificate, they do not need to log in to the discussion group. This method requires a secure server.

      If you select user certificate authentication in any access control rule for a discussion group, all users will be asked to authenticate by certificate-regardless of the authentication method specified in later rules for a particular user. A user will be asked for a certificate, but if a user does not have to authenticate by user certificate, he or she will still be able to authenticate by username and password.

    7.

  7. Click the Then Allow Role of drop-down list > select the role you are allowing the user or group.

    For more information on roles, refer to Defining and Managing Roles

    or

    Select Deny to deny the user or group all access to the discussion group.

    You can choose Deny as a quick and safe way to set up access control rules. After denying all access, you can then choose to grant a particular role to a user.

    8.

  8. Check the Continue check box if you want the server to continue checking for access control rules that match the user, discussion group, and current action.

    If the rule is continued, the Set from field displays the higher-level discussion group from which the rule is inherited. Inherited rules are viewable, but not selectable.

    or

    If you want the rule to be absolute, uncheck the Continue check box.

    9.

  9. Click the Up- or Down-arrow to change the order of rules.

    10.

  10. Click Submit All Changes.

    11.

Creating a Guest Rule

You can create a guest rule that allows any host or user (whether defined in the directory or not) to access a discussion group without authentication. You can also specify a guest rule for a particular host.

  1. From the General Administration page, click the News Server server name button > Discussion Groups > Manage Discussion Groups > OK.

    2.

  2. Select the discussion group you want to create a guest rule for.

    3.

  3. Click Access Control Rules > New Rule.

    4.

  4. In the Users field, type Anyone.

    5.

  5. In the Groups field, type Anyone.

    6.

  6. In the Host field, type an asterisk (*) for all hosts

    or

    Type the hostname or IP address of the guest.

    7.

  7. Click the Auth By drop-down list > select Default.

    The default authentication method is specified in the Access Control form (from the News Server interface, click Access Control > Access Control Options). If the default is authentication by certificate, the guest must have a valid certificate.

    8.

  8. Click the Then Allow Role of drop-down list > select the role you are allowing the guest.

    9.

  9. Check the Continue checkbox.

    10.

  10. Click Submit All Changes.


Deleting an Access Control Rule

  1. From the General Administration page, click the News Server server name button > Discussion Groups > Manage Discussion Groups > OK.

    2.

  2. Select the parent or root-level discussion group.

    3.

  3. Click Access Control Rules.

    4.

  4. In the rule you want to delete, click the trash can icon.

    5.


Previous | Next