Restricting Using File Permissions

The preceding topic described using directory permissions to restrict access to CML administration functions. You can apply more granular control by restricting access to individual files. This lets you create different levels of administration, making possible, for example, groups of "power library administrators." You might want to let regular administrators check library materials in and out and nothing else. Power administrators would also be able to maintain the database of library items.

To use file permissions to restrict access, see Restricting Access Using File Permissions in the Deployment section.

Directory Restrictions and File Restrictions

Because the Admin directory contains all the ASP files that provide administration functionality, such as maintaining the library, denying access to it puts all of these administrative actions out of reach at once. If access to the entire Admin directory has been denied to a given user or group, that user or group is locked out regardless of file-level permission settings. Be sure to grant directory permissions to those who require them; see Restricting Access Using Folder Permissions.

Who Has Access?

Attempts to access the CML administration files are made in the context of user accounts, including domain group accounts and local group accounts defined on the Web server. As new people appear who need specific administrator privileges, add them to a group that has been granted permissions to the CML files in question. Similarly, remove from the group people who no longer need administrative access to these CML files. For more information, see Granting Windows NT Permissions.

Displaying Error Screens

When a user attempts to open a restricted page, the IIS Web server generates an error. The CML application changes these generic error messages into more friendly error messages; see Displaying Run-Time Errors.