Skip to main content
Version: Cloud

Access Control List

This advanced configuration chapter provides information on the Windows Access Control List (ACL) that enables you to set permissions to accounts or other objects with the help of PowerShell scripts.

Thanks to permissions set in the ACL you can restrict access to config files that contain such sensitive data as connection strings or encryption keys.

Setting Access Control List to appSetting

As the appSettings kept in the config files of Omada Identity modules may contain sensitive data, you may want to extract them and keep them in a separate file. Such extraction will increase the security of your encryption keys or connections strings.

To set up appSettings in a separate file, you need to define the appSettings element taken from the config file of a module (RoPE, OPS, ES, ODW). For example, for the RoPE config file:

<appSettings configSource="appSettings.config" />

Then you need to define the separate file with appSettings as follows:

<appSettings>
    <add key="ReportViewerMessages" value="Omada.OE.Web.ODWReportViewerCustomMessages, Omada.OE.Web" />
    <add key="vs:EnableBrowserLink" value="false" />
    <!-- master connection string can added here instead of registry -->
    <add key="ConnStr" value="" />
    <add key="CommandTimeout" value="" />
    <add key="SolutionName" value="" />
    <add key="LoadBalancerNodeEnabled" value="" />
    <add key="SessionTimeout" value="" />
    <add key="PswEncryptionKey" value="DefaultEncryptionKey" />
    <add key="ApiSharedSecret" value="" />
  </appSettings>

You can give the created file a name of your choosing.

Important

Please, remember that for each Omada Identity module, you need to create a separate file with appSettings.

Setting Access Control List to app.config

By setting ACL permissions to app.config file you can restrict access to the file only to the accounts listed on the ACL. In order to set up ACL permissions for an account to app.config file, you need to run the following PowerShell script.

$FileAcl = Get-Acl "C:\Program Files\Omada Identity Suite\Enterprise Server\website\web.config"
$AclRule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\USERACCOUNT","Read","Allow")
$FileAcl.SetAccessRule($AclRule)
$FileAcl | Set-Acl "C:\Program Files\Omada Identity Suite\Enterprise Server\website\web.config"
Important

Please, remember to change the DOMAIN\USERACCOUNT to the appropriate account.This script assumes that access to the app.config file has already been restricted in a script which adds access for a specific user.

Setting Access Control List to the registry keys

By setting ACL permissions to selected registry keys you can restrict access to the keys only to the accounts listed on the ACL. In order to set up ACL permissions for an account to keys in the windows registry, you need to run the following PowerShell script:

$RegistryKey = Get-Acl HKLM:\SOFTWARE\Omada$InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit$PropagationFlags = [System.Security.AccessControl.PropagationFlags]::InheritOnly$AclRule = New-Object System.Security.AccessControl.RegistryAccessRule ("DOMAIN\USERNAME","ReadKey", $InheritanceFlags, $PropagationFlags,"Allow")$RegistryKey.SetAccessRule($AclRule)$RegistryKey | Set-Acl -Path HKLM:\SOFTWARE\Omada
Important

Please, remember to change the DOMAIN\USERACCOUNT to the appropriate account.This script assumes that access to the app.config file has already been restricted in a script which adds access for a specific user.