Verndale.Restrictor 1.0.3

OptiAccess Restrictor Add-on

Overview

The OptiAccess Restrictor add-on provides an easy way to control access to specific areas of an Optimizely website. By default, it restricts access to key administrative paths and allows you to configure policies for role-based access control.

Important: The add-on is disabled by default so that you can add your own IP. Be careful when activating it because you might lose access to the CMS. Additionally, some paths are whitelisted by default, such as /episerver and /util/login, but you can remove them if necessary.

The data is stored in DDS (Dynamic Data Store).

Installation & Configuration

1. Register the Add-on in Startup.cs

To enable the OptiAccess Restrictor, add it to the ConfigureServices method in Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
    // Basic registration
    services.AddRestrictor();

    // OR: Configure with custom policies
    services.AddRestrictor(authorizationOptions =>
    {
        authorizationOptions.AddPolicy("My.AddOn.Policy.Name", policy =>
        {
            // Required when using Opti ID authentication
            policy.AddAuthenticationSchemes(OptimizelyIdentityDefaults.SchemeName);

            // Define roles required for this policy
            policy.RequireRole("WebAdmins", "SeoAdmins");
        });
    });

    ...
}

2. Initialize the Restrictor Handler (Register Only in Lower Environments)

To avoid restrictions in production, ensure that the Restrictor Handler middleware is only registered in lower environments (such as Integration and Preproduction). Modify the Configure method of Startup.cs as follows:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (!env.IsProduction()) // Register only in non-production environments
    {
        app.UseRestrictor();
    }
    
    ...
}

3. Default Restricted Paths

By default, the following paths are whitelisted and accessible:

• /episerver
• /util/login
• /verndale-restrictor

If necessary, you can modify the configuration to remove or add paths as per your requirements.

Usage

Once installed, navigate to the IP Whitelist add-on view to configure your access rules. Here, you can whitelist IP addresses to allow access to restricted areas.

Enabling the Add-on

• Go to the add-on configuration page.
• Add your IP address to the whitelist.
• Enable the restriction by checking the Enable checkbox.
• Save the configuration.

Important Considerations

• Be careful when enabling the add-on, as incorrect configuration might lock you out of the CMS.
• Ensure that essential users have whitelisted IPs before enabling restrictions.
• If you need to restrict additional paths, update the configuration accordingly.
• The default whitelisted paths (/episerver, /util/login) can be removed if stricter security is required.

Notes

• Easily enable or disable access restriction by checking the Enable checkbox in the admin view.
• Ensure that users who need access have the appropriate roles defined in the policy.
• If you need to restrict additional paths, update the configuration accordingly.
• The data for the whitelist is stored in DDS (Dynamic Data Store), ensuring persistence across deployments.