McIDAS User's Guide
Version 2017.2

[Search Manual] [Table of Contents] [Go to Previous] [Go to Next]


Restricting Access to Remote Server Datasets

By default, when you configure a remote server there are no restrictions to accessing its datasets. Thus, any McIDAS-X client with a client routing table entry for your server (i.e., an entry that maps a group name that exists on your server to your server's IP address) can access its data. This section describes how to configure your remote server to restrict access to all of its datasets, or to specific datasets identified by group or group/descriptor.

Access to one or more of the server's datasets can be restricted to the following.

There are three types of files used to allow/restrict access to the server's datsets: Server Files, Group Files, and Group.Descriptor Files. The files must adhere to these characteristics/requirements:

Server Files, Group Files, and Group.Descriptor Files are described in further detail below. Important note: These files are enabled (i.e., perform their described actions) only if transaction logging is activated. See the previous section, Activating Transaction Logging on a Remote Server, for instructions. Also, as noted in the Field 3 description in the table on the same page, the reported IP address is not necessarily that of the client workstation. Therefore, you may not be able to restrict access by IP address (in files SERVER.IP, GROUP.IP and GROUP.DESCRIPTOR.IP below) if SSH tunneling is used.

Server Files

To be allowed access to all datasets on a server, the user must have a valid entry in one of the three files listed below, if the file exists. If any of the files required for validation is missing, that type of validation is not performed.

The three types of Server Files are listed below.

Group Files

To be allowed access to all datasets in a particular group on a server, the user must have a valid entry in one of the three files listed below or one of the Server Files described above. If any of the Group Files required for validation is missing, the server will then check if the user is valid based on the Server Files.

The three types of Group Files are listed below.

For example, to allow users logged on to McIDAS as user JOHN access to all datasets in the group GOES, the file GOES.USR must contain a line that says "JOHN".

The Server Files are used in conjunction with the Group Files. For example, if the files SERVER.IP and SERVER.PRJ also exist, the user JOHN must be accessing the data from a valid IP address, and using a valid project number in those files.

Multiple files with duplicate extensions can also exist. For example, if the MSG.IP and SERVER.IP files exist, you can configure them to allow IP address 144.92.109.205 access only to datasets in group MSG while also allowing IP address 128.104.110.92 access to all datasets. To do so, the file MSG.IP must contain 144.92.109.205 and file SERVER.IP must contain 128.104.110.92. This feature (using both GROUP.* files and SERVER.* files together to allow specific users, IPs or project numbers access to only certain datasets on the server) works only if the datasets are not Area format.

Group.Descriptor Files

To be allowed access to a particular dataset (group and descriptor, e.g., GOES/CONUS) on a server, the user must have a valid entry in one of the three files listed below or one of the files described above. If any of the Group.Descriptor Files required for validation is missing, the server will then check if the user is valid based on the Server Files and Group Files.

The three types of Group.Descriptor Files are listed below.

For example, to allow users logged on to McIDAS as user JOHN access to only dataset MSG3HR/HRV (and no other datasets on the server), the file MSG3HR.HRV.USR must contain a line that says "JOHN".


[Search Manual] [Table of Contents] [Go to Previous] [Go to Next]