Skip to main content

Access Control List

HSYCO supports server-side access control lists for Web-based user commands.

The acl.ini file is a text file that defines the rules to allow or reject commands.

note

Changes to acl.ini are immediately effective.

Each line defines an access rule, with the following format:

action; user_id; location; type; command

Rules are evaluated starting from the first line and progressing down the file until a match is found on the user, the IP address of the Web browser, the command type and command.

On the rule that matches, the allow or deny action is taken, executing or rejecting the command.

You can user the * character in the user_id, service and command fields, to match any value or values starting or ending with a specific string.

The following table describes each field of a rule line.

FieldFormatDescription
actionallow | denywhen this rule matches, the command is either executed or rejected
user_idstring [, string]
* matches any user
one or more user names (comma separated)
locationlocal | remote | *clients with an IP address that is part of the trusted range are local; clients outside the trusted range are remote
typeio | timer | camera | * matches any servicecommand type
commandstring
* matches any string or substring
matching command string.
io commands have the <datapoint>=<value> format for I/O Servers, dmx.<channel>=<value> for DMX, <IRTrans_id>=<command> for IRTrans commands, and <name>=<param> for user commands.

If no matching rule is found in the acl.ini file, the command is rejected. If the verbose log level is enabled, an error message is logged in the daily log file:

2012.01.04 16:25:10.223 + ACL ALERT: DENIED - USER: staff LOCATION: local TYPE: io COMMAND: user=test

Examples:

deny; *; *; *; dmx*
allow; *; *; *; *

Allows all commands from the Web interface, except for DMX control.

deny; *; *; camera; *zoom*wide
allow; *; *; camera; *

Disables all commands, only allowing camera control commands, but not the zoom-out command.

deny; guest; *; *; *
allow; *; *; *; *

User guest is not authorized to execute any command, all other users are allowed.

deny; *; remote; *; *

Prevents the execution of any command from browsers that are outside of the trusted range of IP addresses, as defined with the trustedNet configuration parameter.