An interesting request

| 1 Comment
The other day I got asked a question that I hadn't considered before.

"Can you set up rights so that a certain group of student workers can only access this directory when they're at work, and not anywhere else?"

Clearly they don't trust the students all that much, but the question is still interesting. How to do that? We've spent a lot of effort promoting 'mobility' in terms of getting at your files from anywhere. Novell NetStorage is designed for exactly this. Yet how do you restrict access to a specific directory to:

(userMemberOf specificgroup.groups.wwu) AND (workstationMemberOf othergroup.wsgroups.wwu)

In NetStorage perhaps the easiest way is to make sure the drive that directory is in is not contained in any login-scripts the user has. That means it won't show up in NetStorage. On the other hand, if they come in on SFTP the files are still there for the taking. The problem with this is that the volume in question is in their login script already.

Another way to handle that is to create a second set of accounts for the students. These accounts would be workstation-login-restricted to just the workstations the department designates. Because of this, they won't be able to use those logins for NetStorage or SFTP as the servers (what shows up in the 'Network Address' field when you log in via NetStorage or SFTP) isn't in the approved list. The problem with this is that we have a strong 'one account' policy, even super-users like myself don't have a second low-priv account for routine use.

The crux of it is that this is the first time I've been asked to build location-awareness into an ACL. I wonder how other companies are handling this?

Tags: ,

1 Comment

Restrict access by MAC address? Is that even possible at the directory level? Not sure how else you could do what's being requested, at least, other than setting up a second set of accounts, all other functionality aside.