You are viewing limited content. For full access, please sign in.

Question

Question

Blocking WebLink access to certain groups

WebLink Directory Server Ideas How To
Updated February 20
asked on February 4 Show version history

Hello,

We have an external portal/WebLink, that I would like to block certain users from being able to access (mainly higher authority accounts, to protect from outside interference). Is there a way to block certain accounts from accessing a WebLink, while still allowing them to access WebClient and other resources inside our network? I see there is a way to block certain user groups in WebClient, but I can't find the same setting in WebLink.

The accounts we have setup for WebLink are specific to LFDS accounts, where the higher permission levels are Windows accounts, so if there is something we can add to the DMZ STS to not authenticate Windows accounts (even if they are manually typed in) that would work. I see in the DMZ STS, Windows authentication is automatically blocked if you have an alternate STS setup, but if you manually type in your windows domain and creds, it lets you log in.

 

Update: I found I could change the organization, and move the people I want to be able to access the weblink to that organization. Is there a way to hardcode the organization, when I add the sub organization, someone can still type the original organization name in (if they happen to know it), I'd like to make it where the organization line is either greyed out, or missing all together so it can't be changed back to the original value

0 0

Replies

replied on February 10

Hi Eric,

I want to get a clarification on the core problem you're trying to solve here.

Laserfiche WebLink is a read-only interface. Even an administrator with all possible repository Entry Access Rights, Features, and Privileges cannot create/modify/delete content or make configuration changes through WebLink. 

Is the scenario that there is content these Windows/AD users have browse/read access to, and if their account credentials were compromised, you don't want an attacker to be able to use them to authenticate from outside your network?

0 0
replied on February 20 Show version history

Hi Samuel,

Yes, that is the issue we were trying to mitigate, compromised accounts having access from outside of the network, and the ability to bypass the MFA requirement. I was able to make the organization field read only with editing of a couple of files, which helped mitigation this risk. I have a write up if anyone could use it for the steps, that may be better to provide directly in lieu of posting it

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...