Managing User and File Permissions for Aspera Enterprise Server and Aspera Point-to-Point

Introduction

Permissions determine who can access certain files and so are essential to the organization of work group collaboration. This document instructs you how to set up the proper user permissions on your server machine that runs either Aspera Enterprise Server or Aspera Point-to-Point, and also explains the permissions of transferred files.

Configuring User Accounts on the Server

The Aspera Enterprise Server and Aspera Point-to-Point use the same user account management system as your local system. Users connecting to this server can use their system accounts to log in with equivalent permissions. By default, all user accounts are allowed to browse and read all files in the server. It is recommended to configure the Aspera file permission system to ensure privacy and security. To set up the user account, use the following instructions.

1. Create a new user account if an account for which you want to use for transferring does not exist.

In Windows, go to your Control Panel. Under the User Accounts and Family Safety section, click Add or remove user accounts. On the resulting page, click Create a new account.

In Mac OS X, go to your System Preferences and click on Users and Groups. Click the lock icon on the bottom left to be able to make changes, then select the + button to create a new account.

In Linux, run the following command, where username is the name of your new account:

useradd username

 

2. Create a transfer user for the server that corresponds to a local user account.

Using the GUI

Launch the application for your Enterprise Server or Point to Point. In Windows, make sure you launch it with administrator permissions (right-click the icon and choose Run as administrator).

Click the Configuration button on the top right. On the left, select the Users tab. Click the plus button to add the user account, which would be the name of a local account, such as the one you created in step 1.

Using the command line

Use asconfigurator, the command line tool which makes changes to the server configuration file aspera.conf.

To add a transfer user you would run the following command, replacing username with the name of a local user account, such as the one you created in step 1:

asconfigurator -x "set_user_data;user_name,username"

 

3. Set the document root (docroot) for the user to limit their access to a given directory. Doing so allows you to hide higher level directories from certain users.

Using the GUI 

Click the Configuration button on the top right. On the left, select the Users tab. Making sure the user account is selected in the list of users, click on the Docroot tab on the right.

The docroot path can be set by specifying the Absolute path. You can either type in the docroot path directly or browse for it by clicking the button. By default the read, write and browse permissions are enabled for a user’s docroot. At minimum you should have read and browse permissions enabled. Write permissions allow users to make transfers to the docroot.

Using the command line

Use the following asconfigurator command to set a docroot for your user, replacing username with the name of the transfer user, and docroot_path with the path to the directory you want to set as the docroot:

asconfigurator -x "set_user_data;user_name,username;absolute,docroot_path"


4. Mac OS X and Linux only
You can restrict user permissions with aspshell, which limits the user’s file manipulation capabilities. Specifically, aspshell only allows operations that run Aspera uploads/downloads to or from your machine, and operations to establish connections in the application as well as browse, create, delete, rename or list content. You can set a user account to use the aspshell instead of the default shell in the following way.

On Mac

Go to your System Preferences and click on Users & Groups. Click the lock icon on the bottom left to be able to make changes, and right-click the account you want to configure. Select Advanced Options.

Replace the Login Shell value with /usr/bin/aspshell and click OK.

On Linux

Open the following file in a text editor:

  • /etc/passwd


Locate the entry for your user account. For example, if your user was janedoe, you would look for the following:

janedoe:x:501:501:...:/home/janedoe:/bin/bash


Replace the shell path at the end, or add it if it does not exist. In the previous example, you would replace /bin/bash with /bin/aspshell:

janedoe:x:501:501:...:/home/janedoe:/bin/aspshell

 

Additional Permission Settings for UNIX-Based Systems

On UNIX-Based operating systems such as Linux, Solaris, FreeBSD and Mac OS X, all files are created with the access rights of the source. To change the files' permissions when they are delivered, you can define the specific type of permissions on the receiver's side.

The permissions can be defined in the configuration file aspera.conf. You can locate the file in the following location:

  • Linux, Solaris, FreeBSD: /opt/aspera/etc/aspera.conf
  • Mac OS X: /Library/Aspera/etc/aspera.conf

 

In the configuration file you will find or can create the file permissions settings.

Aspera Enterprise Server uses default values if not specified in this configuration file. Here is an example configuration:

<?xml version="1.0" encoding="UTF-8"?>
<CONF>
<directory_grant_mask>755</directory_grant_mask>
</CONF>


Below are the configuration directives to set file permissions:

Configuration Directives
<file_create_mode>755</file_create_mode>

The Aspera receiver creates the files in the destination directory using this "mode" (permissions set), specified as an octal value.

 
<directory_create_mode>644</directory_create_mode>

The Aspera receiver creates the directories in the destination directory using this "mode" (permissions set), specified as an octal value.

 
<file_create_grant_mask>644</file_create_grant_mask>

The Aspera receiver creates the files in the destination directory using the "mode" of the source file, but adds these permissions, specified as an octal value.

 
<directory_grant_mask>755</directory_grant_mask>

The Aspera receiver creates the directories in the destination directory using the "mode" of the source file, but adds these permissions, specified as an octal value.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk