Using Allow and Deny Rules for Access Control

You can control access to the server based on the client user name, the user's group membership, or the computer from which the user connects. For each of these categories, you can allow or deny access, or use a combination of allow and deny. You can specify rules for specific users, groups, or hosts, or use regular expressions to match multiple users, groups, or hosts with a single entry. Name matching is not case-sensitive.

The server first checks to see if access is allowed from the client host computer. If the client host is allowed, the server then checks both user and group rules to see if the client user is allowed access. For both host-based and group/user-based access control, the server uses the following logic to determine whether to allow a connection.

Check to see if any "Deny" rules are configured. If a client matches any denied expression, the connection is refused (even if the client also matches an allowed expression).
If the client does not match a denied expression, check to see if any "Allow" rules are configured.
- If no "Allow" rules are defined, the client can connect.
- If one or more "Allow" rules are configured on any pane, the client can connect only if the client matches one of the allowed expressions.

Examples

For the examples below, users are attempting to connect to a server with the following access control configuration. (No client host access items are configured.)

Group access settings:

Group	Access
administrators	Allow
contractors	Deny

User access settings:

User	Access
Joe	Allow
Don	Allow
Fred	Deny

Sample access with the configuration above:

User	Group Membership	Access?	Notes
Joe	users	yes	Joe is an allowed user and does not match any denied condition.
Don	contractors	no	Don is an allowed user, but is a member of a denied group.
Fred	administrators	no	Fred is in an allowed group, but is a denied user.
Paul	users	no	Allowed items are configured, but Paul does not match any allowed condition.