Using Allow and Deny Rules for Access Control
You can control access to the server based on the client user name, the user's group membership, or the computer from which the user connects. For each of these categories, you can allow or deny access, or use a combination of allow and deny. You can specify rules for specific users, groups, or hosts, or use regular expressions to match multiple users, groups, or hosts with a single entry. Name matching is not case-sensitive.
The server first checks to see if access is allowed from the client host computer. If the client host is allowed, the server then checks both user and group rules to see if the client user is allowed access. For both host-based and group/user-based access control, the server uses the following logic to determine whether to allow a connection.
-
Check to see if any "Deny" rules are configured. If a client matches any denied expression, the connection is refused (even if the client also matches an allowed expression).
-
If the client does not match a denied expression, check to see if any "Allow" rules are configured.
-
If no "Allow" rules are defined, the client can connect.
-
If one or more "Allow" rules are configured on any pane, the client can connect only if the client matches one of the allowed expressions.
-
Examples
For the examples below, users are attempting to connect to a server with the following access control configuration. (No client host access items are configured.)
Group access settings:
| Group | Access |
|---|---|
administrators |
Allow |
contractors |
Deny |
User access settings:
| User | Access |
|---|---|
Joe |
Allow |
Don |
Allow |
Fred |
Deny |
Sample access with the configuration above:
| User | Group Membership | Access? | Notes |
|---|---|---|---|
Joe |
users |
yes | Joe is an allowed user and does not match any denied condition. |
Don |
contractors |
no | Don is an allowed user, but is a member of a denied group. |
Fred |
administrators |
no | Fred is in an allowed group, but is a denied user. |
Paul |
users |
no | Allowed items are configured, but Paul does not match any allowed condition. |
More information