Excluding anonymous internet users from specific records

When you have an Axiell Internet Server web application, you may not just want to limit general database access for anonymous internet users to read-only access, but you may also want to exclude certain records completely from showing up in a search result on the website.

Setup in IIS 10

In general, the best way to achieve this in IIS 10 is as follows:

  1. Create a new Active Directory account which you will be using as the account under which any anonymous internet user will access your website after this setup, if that doesn’t exist already. This account must have read access to the share(s) and files on the server(s) on which the web application, the .inf’s and SQL Server database are located. Choose a handy name for the new account, like “anonymous” or “internetuser”.

  2. Open your IIS Manager and in the left window pane select your website. Double-click the Authentication icon on the right.

  3. Select Anonymous Authentication and click Edit… under Actions.

  4. Mark the Application Pool identity option, and click OK.

  5. In the left window pane, select Application pools, then select the application pool for your website and click the Advanced settings… option in the right window pane.

  6. In the Advanced Settings window, select Identity under Process model and click the … button which appears behind the identity name on the right. The Application Pool Identity window opens. Mark the Custom account option. Click the Set… button.

  7. In User name, enter the account name you created earlier, preceded by your domain and a backslash (e.g. Axiell\anonymous), and in Password and Confirm password enter the password you assigned to it. Click OK.

  8. Click OK in the three open windows and close IIS.

Further setup in MS SQL Server Management Studio

If you use Windows authentication to handle access to the SQL Server database, you’ll have to set the new account name as a user in that database, with read-only rights.
So, open Microsoft SQL Server Management Studio, open the relevant database node and under Security, right-click the Users node and choose New user. In the Database user – New window which has opened, enter the account name you created earlier in both the User name and the Login name entry field, preceded by the proper domain and a backslash. Open the Membership page and mark the db_datareader role, before clicking OK.

If you are using SQL Server authentication instead of Windows authentication, then the new Active Directory user account already has read-only access to the SQL Server database. So you don’t need to add it as a user in the database.

Edit record access rights in your Collections application

Assuming you have already set up the record access rights functionality in your Collections application, you can now use the anonymous internet user account name which you created (without domain this time) to exclude records. In the Record access field group on the Management details tab, the user must enter this name in Collections records and possibly (depending on the setup) select the access rights None. If a record has None access rights it will now be excluded from wwwopac search results entirely. Note that only the record owner (who created the record) can enter or edit these access rights.

In the Designer Help, see the General Topics > User authentication and access rights > Use the authorisation functionality topic for information about how to set up record authorisation in your application.

With None access right for the anonymous user you specify that this user account has no access to this record. It is very well possible though that you or the application manager decided to implement record access rights slightly differently, in which case the user only needs to enter the anonymous internet user account name in the User field to automatically exclude the anonymous users from access to this record: in that case there is no Rights drop-down list to select other access rights from.