Location Based Access Permissions

Posted on 16th April 2017

Controlling where clients can use Foldr

Foldr v4  provides the administrator the ability to control where users are able sign into Foldr and what resources are available from that location.  The administrator can permit or deny users or Active Directory groups based on the client IP address, IP address ranges or entire subnets.  This could be useful if a group is only to be allowed access from inside the organisation network, and/or to restrict where users can sign in from remotely.

From Foldr Settings >  Security, the field to configure the client network details are available within ‘Use Foldr‘ and ‘Use Foldr Drive‘ (WebDAV).  Networks should be configured one per line if multiple entries are required.

Accepted values are:

  • Wildcard format: 1.2.3.*
  • CIDR format: 1.2.3.0/24 OR 1.2.3.4/255.255.255.0
  • Start-End IP format: 1.2.3.0-1.2.3.255

In the example below, the built-in Foldr Users (Everyone) is being configured with an allow rule for subnet 1.2.3.0/255.255.255.0 – This rule will result in all users ONLY being permitted to sign in from a client device on the 1.2.3.0 subnet.  (client IP address of 10.20.30.1 – 10.20.30.254)

In the second example, the built-in Foldr Users group is denied access from the same subnet.  The result of this ACL rule would allow users to sign in from any location except subnet 1.2.3.0.

In the final example, the Active Directory group ‘Marketing’ is only allowed to sign in from client devices on the network 10.20.30.0.  Users in this group will be denied access if they attempt to sign in from any other location.

 

Location based share permissions

As well as being able to control where users / groups can sign in from, the administrator can control where users can access certain storage locations through Foldr. i.e. you can apply share perimssions based on location / network address.

Using the granular share access permissions, this gives the administrator the ability to only present a share if the client is signing in from a particular IP address or subnet, or you can force shares to only be read only / writable from specific locations.

In the example below, the permissions on the share below have been modified to only allow the storage location to be visible in the Foldr web or client apps if the client is connecting from either the 172.16.1.0 or 192.168.1.0 networks.

Location based client app configuration

Within Foldr Settings > Devices & Clients, the administrator has the ability to also configure granular access permissions for each client app individually  – Windows, macOS, iOS, Android and web.

In the example below, a policy has been configured to only allow users within the Marketing group permission to use the iOS app from networks 172.16.1.0 and 192.168.1.0.

Need more help?

Get in touch with our friendly help desk who will be happy to assist you, support@foldr.io