Restricting Access to Remote Server Datasets

By default, when you configure a remote server there are no restrictions to accessing its datasets. Thus, any McIDAS-X client with a client routing table entry for your server (i.e., an entry that maps a group name that exists on your server to your server's IP address) can access its data. This section describes how to configure your remote server to restrict access to all of its datasets, or to specific datasets identified by group or group/descriptor.

Access to one or more of the server's datasets can be restricted to the following.

authorized user IDs (entered with the McIDAS LOGON command)
authorized four-digit project numbers (also entered with LOGON)
authorized client IP addresses

There are three types of files used to allow/restrict access to the server's datsets: Server Files, Group Files, and Group.Descriptor Files. The files must adhere to these characteristics/requirements:

The files must reside in a MCPATH or REDIRECT directory of the remote server account (normally mcadde).
The files are standard ascii text format, created with any text editor.
Each file may have any free format comment on each line, after the required information, which must begin in column 1. At least one space should separate the required information from the comment.
Lines beginning with an asterisk (*) are considered comments, and are thus ignored.

Server Files, Group Files, and Group.Descriptor Files are described in further detail below.

Server Files

To be allowed access to all datasets on a server, the user must have a valid entry in one of the three files listed below, if the file exists. If any of the files required for validation is missing, that type of validation is not performed.

The three types of Server Files are listed below.

SERVER.IP - contains IP addresses of trusted machines in dotted decimal format
SERVER.USR - contains user initials, one per line in uppercase; each record must be at least four characters long
SERVER.PRJ - contains four-digit project numbers, one per line

Group Files

To be allowed access to all datasets in a particular group on a server, the user must have a valid entry in one of the three files listed below or one of the Server Files described above. If any of the files required for validation is missing, the server will then check if the user is valid based on the Server Files.

The three types of Group Files are listed below.

GROUP.IP - contains IP addresses of trusted machines in dotted decimal format
GROUP.USR - contains user initials, one per line in uppercase; each record must be at least four characters long
GROUP.PRJ - contains four-digit project numbers, one per line

For example, to allow users logged on to McIDAS as user JOHN access to all datasets in the group GOES, the file GOES.USR must contain a line that says "JOHN".

The Server Files are used in conjunction with the Group Files. For example, if the files SERVER.IP and SERVER.PRJ also exist, the user JOHN must be accessing the data from a valid IP address, and using a valid project number in those files.

Multiple files with duplicate extensions can also exist. For example, if the MSG.IP and SERVER.IP files exist, you can configure them to allow IP address 144.92.109.205 access only to datasets in group MSG while also allowing IP address 128.104.110.92 access to all datasets. To do so, the file MSG.IP must contain 144.92.109.205 and file SERVER.IP must contain 128.104.110.92.

Group.Descriptor Files

To be allowed access to a particular dataset (group and descriptor, e.g., GOES/CONUS) on a server, the user must have a valid entry in one of the three files listed below or one of the files described above. If any of the files required for validation is missing, the server will then check if the user is valid based on the Server Files and Group Files.

The three types of Group.Descriptor Files are listed below.

GROUP.DESCRIPTOR.IP - contains IP addresses of trusted machines in dotted decimal format
GROUP.DESCRIPTOR.USR - contains user initials, one per line in uppercase; each record must be at least four characters long
GROUP.DESCRIPTOR.PRJ - contains four-digit project numbers, one per line

For example, to allow users logged on to McIDAS as user JOHN access to only dataset MSG3HR/HRV (and no other datasets on the server), the file MSG3HR.HRV.USR must contain a line that says "JOHN".

Contact Us • Site Map • Search • Terms and Conditions • Privacy Policy • Participation Policy

Unidata is a member of the UCAR Community Programs, is managed by the University Corporation for Atmospheric Research, and is sponsored by the National Science Foundation.

P.O. Box 3000 • Boulder, CO 80307-3000 USA • Tel: 303-497-8643 • Fax: 303-497-8690