Understanding Access Levels

Access levels describe which URIs on the machine a group of users is permitted to read or modify.

Follow these guidelines to define access levels as desired for your organization’s users:
  • Specific URIs with no trailing slash character restrict access to that URI only. For example, /Components/Communications.cfg provides access to the Communications.cfg file only.
  • A trailing slash (/), specifying a directory, provides group members access to any URI that begins with that string. For example, /Profiles/ provides access to the entire Profiles directory.
  • A trailing dollar sign symbol ($) restricts access to the exact URI only, even if it is a directory. For example, /Profiles/$ provides access to read the main Profiles directory, but not to read any files within that directory.

    For access to specific files, you do not need to use a trailing $.

    For example, /Components/Communications.cfg and /Components/Communications.cfg$ provide the same access.

  • A percent symbol (%) can be used with CN (Common Name) to permit access. For example, /Users/%CN%/ allows access to the User directory matching the SSL certificate common name of the Insight user. Note that this syntax can be used only once in a URI.

The URIs in the pre-defined access control groups have been configured as follows:

Access Control Group URIs
Group Name Read-Only Access Read-Write Access Description
Administrators / Read and write access to all Insight Server directories.
Sensors

/SensorInit.vsp

/Submit.vsp

Read and write access to the two files that the Sensors use to communicate with the Insight Server.
Users

/Profiles/

/Status/

/Software/

/Addresses/

/Users/$

/Users/%CN%/ Read and write access to the User directory matching the SSL certificate common name of the Insight user.
Power Users

/Profiles/$

/Status/

/Software/

/Addresses/

/Users/$

/Profiles/

/Users/%CN%/

Power Users are allowed the same access as Users, with the added ability to write to the Profiles directory. These users may edit profiles and enable changes to be updated automatically for other Insight users, such as when distributing newly defined workspaces.
Cluster Servers

/Components for Processing Servers/

/Addresses/

/Profiles/

/Lookups/

/Access Control/

/Bin/

/Logs/

/Cluster/ Read and write access to the Cluster directory.
Report Servers

/Profiles/$

/Status/

/Software/

/Addresses/

/Users/$

/Profiles/

/Users/%CN%/

/ReportStatus.vsp

Report machines are allowed the same access as Power Users, with the added ability to write to the ReportStatus.vsp file.

To configure Access Control

When defining access control groups, you need to include all System Administrators, users, cluster servers, and Report Server users that require access to this Insight Server computer. You can grant access using IP address or SSL certificate information, such as the common name or organization.

Note: When the Access Control.cfg file is changed on Insight Server, all existing connections are terminated and forced to reconnect. Connections are checked against the permissions in the updated Access Control.cfg file. In the Servers Manager interface, the Insight Server icon turns red temporarily and then green again because connection is terminated and forced to reconnect along with all others.
  1. On the Admin > Dataset and Profile tab, click the Servers Manager thumbnail to open the Servers Manager workspace.
  2. Right-click the icon of the Insight Server you want to configure and click Files.
  3. In the Server Files Manager, click Access Control to view its contents. The Access Control.cfg file is located within this directory.
  4. Right-click the check mark in the server name column for Access Control.cfg and click Make Local. A check mark appears in the Temp column for Access Control.cfg.
  5. Right-click the newly created check mark in the Temp column and click Open > in Workstation.
  6. In the Access Control.cfg window, click Access Control Groups to view its contents.



  7. To add a new access control group:
    1. Right-click Access Control Groups and click Add new > Group.
    2. Right-click Members and click Add new > Member.

      The members for the default groups are not pre-defined. By default, Administrator access is granted to 127.0.0.1 (local host), and Sensor access is granted to IP:*. All other access control group members must be defined.

    3. Complete the parameters.

  8. To add new members to an existing access control group:
    1. Right-click Members under the appropriate access control group and click Add new > Member.
  9. Save the file by right-clicking (modified) at the top of the window and then clicking Save.
  10. To save the locally made changes to the Insight Server machine, in the Server Files Manager, right-click the check mark for Access Control.cfg in the Temp column, then click Save to <server name>.