|... Administrator Frequently Asked Questions: FAQ|
Home Directory Permissions
Guest Users (universe access)
NOAH Administration (top)
There are two types of administrators allowed in NOAH. The first type is the Admin User which is simply the user with the exact username of 'admin'.
The Admin User is permitted to look at NOAH database statistics, manage NOAH users and query NOAH activity logs. In addition, the Admin User is given over-riding read/write permission to all files and directories in the database.
The Admin User:
can change the Owner of any file or directory
can change the name of the 'Lock By' owner of any file
can specify the username when searching for subscribers to files/directories (advanced search).
can UNLOCK any directory or file locked by any other user
can NOT lock a directory or file that is currently locked by another user (but see 2nd bullet above!).
can create directories and upload files to 'home' (root) directory
can lock directories at the 'home' directory
can group directories at the 'home' directory
If the file 'disable.users' is created in the NOAH cgi-bin directory, all users EXCEPT the Admin User, are immediately disabled with the message saying that NOAH has been shut down for maintenance.
Admin Group Users
The second type of administrator is the Admin Group User which is ANY user that belongs to the group 'admin'.
The Admin Group Users are not given access to the 'Administrator Actions' menu but are given over-riding read/write permission to all files and directories in the database EXCEPT for those files and directories that are owned by the Admin User.
The Admin Group Users :
can change the owner of any file or directory EXPECT for files or directories owned by the Admin User.
can change the name of the 'Lock By' owner of any file EXPECT for files or directories owned by the Admin User.
can specify the username when searching for subscribers to files/directories
can UNLOCK any directory or file locked by any other user EXPECT for files or directories owned by the Admin User.
can NOT lock a directory or file that is currently locked by another user.
can NOT create directories and upload files to 'home' (root) directory
can NOT lock directories at the 'home' directory
can NOT group directories at the 'home' directory
Admin User Actions:
When the Admin User first logs in to NOAH, an additional 'Administrator Actions' menu (shown above) is added to the current directory display. (Note that Admin Group Users do not see this menu.) These additional menu items are described in the following paragraphs.
The Database Statistics page calculates some basic statistics on the NOAH database and
gives the Admin User the option of jumping to the Advanced Search menu to learn more
about the files and directories that make up a particular statistic.
Database Statistics provide feedback to the Admin User for the purposes of assessing the health of the NOAH database. This permits the Admin User to take timely preventative actions if file sizes get too large or if access permissions look suspicious.
The Manage Users page is where the Admin User activates new users, disables
or deletes users that are no longer welcome and manages user properties including
An 'Active' user is a user that has a valid NOAH username and password and is permitted to log into NOAH.
A user that's 'Waiting activation' is a user that has applied for a username/password from the login window but has not been activated by the Admin User yet.
A 'Disabled user' is a user that was once an 'Active user' but for some reason has been disabled from logging in to NOAH. The typical reason for disabling a user is that the user has become a security risk.
One also has an option to limit the search to a reasonable number of returned records. This limit is initially set at 50 but can be increased as desired. NOTE that setting the search limit to '0' removes the limit on returned items.
|The Query Logs option lets an administrator look at the NOAH user activities to monitor what files and directories are being accessed and by whom. An administrator can search the log files for a particular filename, group name, user name or date.|
WasteBasket Permissions (top)
When a user deletes a file or directory, it moves to the /WasteBasket directory and puts it in a directory with the year-month in 'YYYY-MM' format.
The WasteBasket directory is owned by the 'admin' account by default which means that only the Admin User has the option of setting the permissions on the WasteBasket. The default permissions are read-only for group and world and access-denied for universe.
The WasteBasket is emptied by the 'purge' program run by the administrator in a daily or weekly batch job. See the 'NOAH Installation and Maintenance Manual' for more information.
Home Directory Permissions (top)
The Home directory is the root of all directories and is often abbreviated as '/' or indicated with the icon.
The default permissions on the Home directory are read-write for Group and World and access-denied for Universe. If Universe (Guest Users) need to be able to see directories and files in the NOAH database, the Universe permission on the Home directory would have to be changed.
The Home directory is only displayed for the Admin User and is hidden from view for all other users.
The Home directory is owned by the user 'admin' and hence only the Admin User can change the permissions on the Home directory.
Guest Users (universe access) (top)
As described in the Users Guide, NOAH recognizes three access permission categories: Group, World and Universe. The Universe access category is designed for guest users who do NOT have a username in NOAH.
If the user 'universe' is 'activated', the NOAH login screen will have an button which will permit a Guest to log in to NOAH with the username of 'universe' and an empty password.
NOTE: When first installing NOAH, the 'universe' user is set to 'disabled'.
What the Guest sees at this point is dependent on what directory and file access permissions have been set by the administrator. Remember that directory access permissions are hierarchical in NOAH. This means that if a directory has the universe access category set to 'access-denied', all directories and files below this directory are not accessible to the user 'universe' (our Guest user).
A Guest user can be completely banned from seeing and accessing any directories and files
in the NOAH database by having the administrator set the Universe permission category to 'access-denied' for the Home Directory (often abbreviated as '/').
See the section Home Directory Permissions for more information.
In practice, there is not much point in having the user 'universe' active and having the Home Directory permission set to 'access-denied' for the universe permission category as the Guest user will only see the NOAH menus, help and about items, Search etc. and no directories or files!
The more useful configuration is having the Home Directory permission set to 'read-only' for the universe permission category. This will permit a user to create links to documents with universe read-only settings and let the Guest user read these files directly without requiring a login window.
If the desire is to have a Guest view a NOAH directory listing, then, in the Manage Users menu, set the user 'universe' to 'active' which enables Guest log in at the login screen.
Security Note: When a user uses the NOAH search menus, the items found in the search are listed if the user has 'read' permission access for the file or directory item IGNORING THE PERMISSIONS OF THE PARENT DIRECTORIES.
However, when the user tries to access an item in the search result list, the FULL DIRECTORY HIERARCHY READ PERMISSIONS ARE TESTED and access is denied appropriately.
This 'feature' permits the NOAH search algorithms to run at a reasonable speed for medium and large databases.
The impact on a Guest User (user 'universe') is that files and directories that have meta-data fields set to permit Universe read access will appear in the search result lists. Although the directory hierarchy read permissions are tested when the Universe user tries to open these items, just knowing the meta-data fields of these items might be considered a security breach.
The solution is to make sure sensitive files and directories do NOT have Universe read access enabled to ensure that these files will not appear in a Universe user search. This is usually the case since the uploading of new files inherits the permissions of the parent directory.