{= include("docs.util"); start_docs_page(docs.technical_manual.page_titles.security); =}

Since $PRODUCT_NAME runs as a CGI program or as a web browser, it publishes its interface to any web browser which can reach its server. This is a powerful feature, but also introduces security issues. $PRODUCT_NAME has a number of features which address these issues:

  1. Non-administrative users can access $PRODUCT_NAME through the profilelist (same as administrative users). When a non-administrator is logged in, the profile list only allows users to view reports of profiles; users cannot create, edit, or delete profiles, and they cannot build, update, or modify the database of any profile. The profile list is available at:

      http://www.myhost.com:8987/

    in web server mode, or

      http://www.myhost.com/cgi-bin/$PRODUCT_EXECUTABLE_DOCS

    in CGI mode.

  2. If you wish to take it a step further, and not even present the profiles list to the users, you can refer users to the reports for a particular profile:

    http://www.myhost.com/cgi-bin/$(PRODUCT_EXECUTABLE_DOCS).cgi?dp+templates.profile.index+
p+profilename+webvars.username+john+webvars.password+johnspassword

    (this should all be on one line). Accessing this URL will show the reports for the profile "profilename", after logging in as user john with password "johnspassword".

  3. Only authorized administrators, meaning users who know the username and password of a $PRODUCT_NAME administrator, chosen at install time, may create new profiles, and only authorized administrators may modify profiles. Without administrator access, a user cannot create a new profile, modify an existing profile in any way, or perform any of the other tasks available on the administrative interface.

$PRODUCT_NAME also provides detailed control over the file and $lang_stats.directory permissions of the files and $lang_stats.directories it creates; see {=docs_chapter_link('permissions')=}.

{= end_docs_page() =}