The js-io-rights.conf file contains rules that permit write access to defined directories in the server file system.

Mandatory Content of the js-io-rights.conf File

Each line of the js-io-rights.conf file must contain the following information.

  • A plus (+) or minus (-) sign to indicate whether rights are permitted or denied

  • The read (r), write (w), and execute (x) levels of rights

  • The path on which to apply the rights

Default Content of the js-io-rights.conf File

The default content of the js-io-rights.conf configuration file on Windows is as follows:

-rwx C:/

+rwx C:/orchestrator
# relative to user.dir which is %orchestrator_install_dir%\app-server\bin
+rx ../../app-server/logs/ 
+rx ../../configuration/logs/ 
+rx ../bin/
-rwx ../../app-server/conf/security/ 
+rx ../../app-server/conf/ 
+rx ../../apps/ 
+r ../../version.txt

The first two lines in the default js-io-rights.conf configuration file allow the following access rights:

-rwx c:/

All access to the file system is denied.

+rwx c:/orchestrator

Read, write, and execute access is permitted in the c:/orchestrator directory.

The default content of the js-io-rights.conf configuration file in the Orchestrator Appliance is as follows:

-rwx /
+rwx /var/run/vco
-rwx /etc/vco/app-server/security/
+rx /etc/vco
+rx /var/log/vco/

The first two lines in the default js-io-rights.conf configuration file allow the following access rights:

-rwx /

All access to the file system is denied.

+rwx /var/run/vco

Read, write, and execute access is permitted in the /var/run/vco directory.

Rules in the js-io-rights.conf File

Orchestrator resolves access rights in the order they appear in the js-io-rights.conf file. Each line can override the previous lines.

In the default js-io-rights.conf configuration file, the second line partially overrides the first line because c:/orchestrator is after c:/, which allows read, write, and execute access to c:/orchestrator but denies access to the rest of the file system under c:/.

The default configuration allows workflows and the Orchestrator API to write to the c:/orchestrator directory, but nowhere else.

Important:

You can permit access to all parts of the file system by setting +rwx / in the js-io-rights.conf file. However, doing so represents a high security risk.