Permissions for AbleCommerce

These are advanced configuration options to reduce permissions after installation.  

For new installations, AbleCommerce will automatically detect the necessary permissions before installation can begin.

 

During the initial installation of AbleCommerce, you are instructed to give the Network Service user write permissions to the folder where the AbleCommerce files are to be placed.  This is the simple and quickest way to setup permissions for the installation.  However, if you are in a shared hosting environment where you must establish permissions on individual directories or you wish to use only the minimum necessary permissions to run the web application, then you should review and follow the instructions in this document.

You can also perform the installation with full permissions and then later reduce those permissions to only the minimum necessary.


Trust Policies

AbleCommerce recommends that a web host, running multiple shared hosting accounts on a server, should implement a security policy based on Medium Trust.  Under Medium Trust, the IIS server enforces application isolation.  In the context of file access, the application can only read/write/modify/delete files that are part of the application directory.  So, even if the ASP.NET user had NT File System  permissions to access the entire C:\ drive, if the server is Medium Trust, an attempt by ASPNET to access C:\autoexec.bat would crash with a security exception.

Additionally, with a shared server, you should not use the same windows user account for every hosted website.  This provides an extra layer of protection – for example, if one hosted account runs under the user ”r;websiteuser1” and another hosting account runs under the user ”r;websiteuser2”, then each account only has NTFS permission to access its own web directory.  Some hosting control panels, such as CPanel, will do this automatically.

You should never allow shared applications to run in High/Full Trust or have no logical division of hosting accounts, or both.

There are a few features within AbleCommerce that will not work in a Medium Trust environment:

 
To Enable a Medium Trust Policy:

This example explains how to modify the default medium trust policy that is installed with the .NET framework.  Depending on your needs, you may wish to create a custom policy based on medium trust and modify it instead.  Determining the appropriate trust policies for your needs is beyond the scope of this document.

1. Open the folder C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CONFIG

2. Open the file web_mediumtrust.config file in a text editor.

3. Find the WebPermission in the web_mediumtrust.config file, as shown in the below:

                            <IPermission class="WebPermission" version="1">

                                <ConnectAccess>

                                    <URI uri="$OriginHost$"/>

                                </ConnectAccess>

                            </IPermission>

4. Edit the WebPermission, removing the ConnectAccess element and setting the permission to unrestricted as shown below.

                            <IPermission class="WebPermission" version="1" Unrestricted="true" />

5. Save the change to the file.  Now medium trust will allow WebPermission.

 

User Accounts

For Windows 2008 and 2012 servers, the default user account is "Network Service"

For either operating system, the ASPNET process could be running under a different identity.  This depends on each server's unique setup.  We have created a test script that can be used to determine what user ASPNET is running under, because that is the user that must have permissions to the folders.  In that case, the ASPNET and Network Service accounts are not applicable.

 

Minimum Permissions:

Write and Delete permissions are only required on various sub-folders (as you noted below).  Read permissions are required for all folders.

[Root]\Folder

Required Write/Delete Permissions

App_Data

If you have a user instance SQL Express database, we have to be able to write to it in this location.  Also, some .config files, log files, scriptlets, and digital goods are placed  here.  The App_Data folder is forbidden from web access by IIS; it can only be accessed by the ASPNET process (assuming it has permission).

App_Themes

If you edit the themes from the Merchant Administration, we have to be able to update the files in this location.

Assets

This is where the store's images are placed, as well as other media, such as pdf files.  If you want to upload, edit, and modify these files, you must have permissions to this folder.

Webcharts

The graphs shown on the merchant dashboard are rendered to JPG and then displayed.  The application writes them to file in this directory as part of a caching scheme.  Delete access is also needed so we can clean up the images when the cached copies expire.

Layouts

The Layout Editor allows you to select which controls are output on any page.  Permissions to write and edit these files is necessary for the feature to work.

[Root]

The SiteMap.xml file is written to the root directory.  If you decide to use the SiteMap feature within AbleCommerce, you must also provide permissions to this folder.  Additionally, if you need to update a license key, you will need permissions to the root folder.  

 

AbleCommerce Site Security

Securing your AbleCommerce experience - A customer’s real world guide from a real world experience.

 

 

 

Copyright © 1994 - 2018 AbleCommerce.com, All rights Reserved | Privacy Policy

A division of Able Solutions Corporation, headquarters located in Vancouver, WA