Securing The Coldfusion Administrator - MACROMEDIA COLDFUSION 4.5-ADMINISTRING COLDFUSION SERVER Manual

296
another company's applications. It also ensures that no applications can tamper with
system resources.
The access permissions you assign to a directory tree through a security sandbox
override any other access permissions users might have for the tree. For example,
suppose you designate the directory c:/applications/hr_app as a security
sandbox. You configure the sandbox so that nobody could write to any of the Human
Resources department data sources via an application running from c:/
applications/hr_app. Even the Vice President of HR, who'd certainly have write
permissions to the HR data sources in all other contexts, would be unable to write to
those sources via an application run from this sandbox.
Note

Securing the ColdFusion Administrator

If you've already read earlier chapters of Administering ColdFusion Server, you know
that the ColdFusion Administrator is a browser-based interface that lets you perform
administrative tasks like managing server performance, adding and configuring
ColdFusion data sources, scheduling pages, and managing log files. For any
ColdFusion development project, some level of administration is generally necessary
to set up ColdFusion Server for your application. In some cases, it's feasible for a single
person to perform all the necessary administrative tasks. Many times, though, you'll
want to be able to delegate some ColdFusion management tasks.
With ColdFusion Server, you can decentralize administrative responsibility by creating
multiple administrators. Overall security is maintained because these additional
administrators can control only the resources and policies for which you've given them
explicit responsibility. You can assign the following types of administrative access to
any user:
Administrator — Provides complete read and write access to all ColdFusion
Administrator pages.
Privileged — Provides read and write access to all the ColdFusion pages except
the Basic and Advanced Security pages; Privileged users have no access at all to
the security pages.
Restricted — Provides read and write access only to the Datasources
Administrator pages, the Verify Data Source page, and the Verity Collections
page; Restricted users have no access to any other ColdFusion Administrator
pages. You can configure Restricted access so that a user only has access to
specified data sources
The ColdFusion decentralized administration model provides two important benefits:
It helps your teams streamline the development process and work together
more efficiently.
It lightens the administrator's load without sacrificing his control over the
system.
The security sandbox feature is only available in the Enterprise edition of
ColdFusion Server.
Administering ColdFusion Server