Security on TeamSite IFS

Hello,
I am wondering how the permissions are handled on the TeamSite Intelligent File System both on Unix and Windows. Is the access controlled the same it is for the branch and workarea? I understand that when viewing file through IFS, requests are not sent to iwproxy or the webserver.

Can a user with root access read/write to any file through the file system? Can we do anything to prevent unauthorized users to access files through the file system?

Thanks for your input.

Running TeamSite/OpenDeploy 7.3.1 on Redhat

Find more posts tagged with

Comments

Rick Poulin

Is the access controlled the same it is for the branch and workarea?
> almost, but only file/folder permissions and ownership is used. Roles have no effect (if you have write access, you can edit whatever you want). Also, being a master has no effect on the IFS so for example, a master won't be able to navigate workareas marked private=true unless they're the workarea owner (or a member of the owner group). Also note that anything that's readable to someone with zero permissions is readable by anybody that has access to your file system, not just registered teamsite users.

I understand that when viewing file through IFS, requests are not sent to iwproxy or the webserver.
> correct.

Can a user with root access read/write to any file through the file system?
> yes because 'root' is implicitly a master and supreme overlord. the same is true of SYSTEM on windows, but NOT the local Administrator.
EDIT: ..and only where it makes sense. No user can ever write files outside of a WORKAREA (including STAGING, EDITIONS, and anywhere in the branching structure above a workarea)

Can we do anything to prevent unauthorized users to access files through the file system?
> Disable the iwserver and default network shares, don't make them part of the Administrators group (which would allow access over the y$ implicit share), and of course, prevent RDP/ssh to your server.

koubasco

Thanks Rick for the reply.

I have a new requirement to prevent TeamSite system admin from access content in a specific branch in TeamSite. How can we secure the IFS so that the system admin will not navigate through it.

Now my problem is that if the system admin has a master role, in TeamSite, he can assign himself to any group and then be able to access any content through the TeamSite GUI.

Another question, can we create a custom role in TeamSite that will prevent the TeamSite system admin from assigning users to group in various branches?

Thanks for your inputs.

Koubasco

Adam Stoller

I have a new requirement to prevent TeamSite system admin from access content in a specific branch in TeamSite. How can we secure the IFS so that the system admin will not navigate through it.

When you say "TeamSite system admin" - do you mean:

Again, if you're talking about someone with Master privileges - no. If you're talking about someone with Admin privileges and you're using 6.7.2 or later - you could create a custom role, based on Admin, without some of the rights you want to withhold - and then assign them to that role instead of the OOTB Admin role.Again - doing your own trials are the best way to verify any of this.