1. Introduction

Permission determines who can access certain files, thus it is an essential organization that corresponds to how work groups collaborate. This document instructs you how to set up the proper user permission on your server machine that runs either Aspera enterprise Server or Aspera Scp for Point-to-Point, also explains the permission of transferred files.

2. Configuring User Accounts on the Server

The Aspera Enterprise Server and Aspera Scp for Point-to-Point use the same user account management system as your system. Users connecting to this server can use their system accounts to log in with equivalent permissions.

By default, all user accounts are allowed to browse and read all files in the server. It is recommended to use the Aspera file permission system to ensure privacy and security. To set up the user account, follow to instructions:

2.1 Windows

All incoming connections require authentication against Aspera-enabled Windows user accounts. If you want to enable a user that doesn't already exist on your system, on Windows 2000/XP you can create one in Control Panel -> User Accounts; on Windows 2003 go to Start menu -> Administrative Tools -> Computer Management. For additional help on managing user accounts, please refer to the Windows manual.

When you have prepared a Windows account for the remote user, you must then enable the account for Aspera connections. Go to Start menu -> All Programs -> Aspera -> Aspera Enterprise Server and launch User Manager.

In the User Manager window, right-click on the User icon and choose New -> New user to add a generic “New User” account. Double-click on the New User to open the New User Properties dialog.

In the New User Properties, enter the user account name to enable into the Name field. If this is a domain user, enter the domain name.

There are three types of user access permissions: Full access, Aspera access, and Web access. “Full” access allows the user to access all files on your computer. “Aspera” access only allows the user to access the folder specified in Document Root field. If “Restrict for web access only” is checked, the user can only transfer using an Aspera Web Client, but not with Aspera Scp Client. The restricted "Aspera" access is recommended.

Click OK after you finish the configuration. Answer Yes when prompted to save the changes.

2.2 Linux, Solaris, FreeBSD

By default, all user accounts are allowed to browse and read all files in the server. To limit the user's access to a portion of the system, set the user account’s shell to use the Aspera secured shell (aspshell) and set a document root (virtual sandbox) for the user. The aspshell allows the user to both transfer and browse the document root and execute basic file operations: ls, mkdir, rm, mv, cp. The restricted shell aspshell-r only allows the user to transfer files in and out of the document root.

2.2.1 Changing the Shell

To change the shell, use a text editor to open the file /etc/passwd, For example is the user 'asp1' sand-boxed to directory /sandbox/asp1, use the following statement:

...
asp1:1011:1011:,,,:/sandbox/luke:/bin/aspshell

2.2.2 Setting Up the Document Root

The document root (docroot) is the assigned home directory of the user account. To set up the docroot, you need to identify the user account's user id (uid), modify the docroot file, and grant proper directory permission to the user account.

First, to get the uid for the user, use the command:

# id [username]

For example, to see the user id of the account 'asp1', it shows the user id is 501:

# id asp1
uid=501(asp1) gid=501(asp1) groups=501(asp1)

Secondly, edit the file /opt/aspera/etc/docroot to define the account's docroot. The file has a format one user entry per line, with each entry having the format:

uid:docroot

For example, to set the document root for the user account 'asp1', add the following line:

501:/home/asp1

The last step is to make sure the account has read/write permission to its sandbox. For example to set up the permission for the account 'asp1', use the following commands:

# chown asp1:asp1 /home/asp1 
# chmod o+rx /home/asp1

2.3 Mac OS X

All incoming connections require authentication against Aspera-enabled Mac OS X user accounts. If you want to enable a user that doesn't already exist on your system, you can create one in Accounts section in the System Preferences. For additional help on managing Mac OS X user accounts, please refer to the Mac OS X manual.

By default, all user accounts are allowed to browse and read all files in the server. To limit the user's access to a portion of the system, set the user account’s shell to use the Aspera secured shell (aspshell) and set a document root (virtual sandbox) for the user.

There are two types of Aspera secured shells: aspshell and aspshell-r. "aspshell" allows the user to both transfer and browse the document root and execute basic file operations, such as create folder, modify files (copy, move, delete), and browse directories. The restricted shell "aspshell-r" only allows the user to transfer files in and out of the document root. The document root is the only folder that the user can access.

2.3.1 Changing the Shell

To set up the user account's shell, go to Hard Drive -> Applications -> Utilities, launch NetInfo Manager. First click the "Click the lock to make changes" and enter the administrator's password.

In the upper pane, go into users -> (user account). In the lower pane, locate shell. To set up the aspshell, replace the default value (/bin/bash) with /Library/Aspera/bin/aspshell or/Library/Aspera/bin/aspshell-r.

2.3.2 Setting Up the Document Root

When you are finished, check the uid for the user account's id number, this id is needed to set up the document root . To set up the document root, use Finder to browse to Hard drive -> Library -> Aspera -> etc. Use a pure-text editor to open the file "docroot". Edit the docroot file and add the value in the following format:

uid:directory

For example, if the user's uid is 503, and the document root is "/sandbox/aspera", enter the following:

503:/sandbox/aspera

Then make sure the user has read/write permissions to its sandbox, select the folder in Finder, and go toMenu bar -> File -> Get Info bar. Make sure Owner is the user, and Access is "Read & Write".

3. Additional Permission Settings for UNIX-Based Systems

On UNIX-Based operating system such as Linux, Solaris, FreeBSD and Mac OS X, all files are created with the access rights of the source. To change the files permission when they are delivered, you can define the specific type of permission on the receiver's side.

The permission can be defined in the configuration file aspera.conf. You can locate the file in the following location:

In the configuration file there are three major configuration sections: the FASP section governing transfer settings, the CENTRAL section governing the Aspera Central, the transfer management service, theFASP_AUTH section configuring restrictions and custom authorization. The file permission is configured within FASP section.

Aspera Enterprise Server uses default value if not specified in this configuration file. Here is an example configuration, and the following configuration directives in FASP section are those for file permissions:

<?xml version="1.0" encoding="UTF-8"?>
<CONF>
<FASP
    CreateDirGrantMask = "755"
/>
<FASP_AUTH
   AuthorizationRequired = "no"
    AuthorizationURL = ""
/>
<CENTRAL
    HttpPort="1722"
    HttpAddress="0.0.0.0"
/>
</CONF>