Rules in the js-io-rights.conf File Permitting Write Access to the vRealize Orchestrator System

The js-io-rights.conf file contains rules that permit write access to defined directories in the server file system.

Mandatory Content of the js-io-rights.conf File

Each line of the js-io-rights.conf file must contain the following information.

A plus (+) or minus (-) sign to indicate whether rights are permitted or denied
The read (r), write (w), and run (x) levels of rights
The path on which to apply the rights.
Note: The root folder for the js-io-rights.conf file is always /var/run/vco. In the vRealize Orchestrator Appliance file system, this folder is located under /data/vco/var/run/vco. All content with access to the vRealize Orchestrator file system must be mapped under this root folder.

Default Content of the js-io-rights.conf File

The default content of the js-io-rights.conf configuration file in the Orchestrator Appliance is as follows:

-rwx /
+rwx /var/run/vco
+rx /etc/vco
-rwx /etc/vco/app-server/security/
+rx /var/log/vco/

The first two lines in the default js-io-rights.conf configuration file allow the following access rights:

-rwx /: All access to the file system is denied.
+rwx /var/run/vco: Read, write, and run access is permitted in the /var/run/vco directory.

Rules in the js-io-rights.conf File

vRealize Orchestrator resolves access rights in the order they appear in the js-io-rights.conf file. Each line can override the previous lines.

Important: You can permit access to all parts of the file system by setting +rwx / in the js-io-rights.conf file. However, doing so represents a high security risk.