Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- Security parameters
- Startup parameter: changeencrkey
- Startup parameter: denyattachwithoutext
- Startup parameter: encryptionkey
- Startup parameters: JavaScript access
- Startup parameter: ntsecuritygroup
- Parameter: querysecurity
- Startup parameter: restaccessviabrowser
- Startup parameter: soap12binding
- Startup parameter: upgradeencralg
Startup parameters: JavaScript access
Startup parameters change the behavior of the server.
Parameter
jsaccessfilereadregex
jsaccessfilewriteregex
jsaccesscmdregex
Description
These parameters specify access restrictions from JavaScript code for file access and command execution. This is required for security reasons so that users with Process Designer tailoring rights are not able to use the available Service Manager JavaScript APIs to directly access the underlying host file system and command line in an unauthorized way. These restrictions are described below:
- System administrator (sysadmin) users are allowed unrestricted access to the file system and command line
- Non-sysadmin users are allowed unrestricted access as well by default (none of these configuration parameters is present); if any of these parameters is present, access is restricted as follows:
jsaccessfilereadregex:<regex>
: Files read using the readFile() and uncompressFile() (compressed file only) JavaScript functions must have an absolute path name that matches the regular expression <regex>.jsaccessfilewriteregex:<regex>
: Files written using the writeFile(), deleteFile(), makeDir(), uncompressFile() (output dir only), and writeAttachmentToFile() JavaScript functions must have an absolute path name that matches the regular expression <regex>.jsaccesscmdregex:<regex>
: Operating system commands executed by using the sysExec() JavaScript function (including parameters) must match the regular expression <regex>.
Regular expressions must use proper syntax for Java-style regex (similar to Perl-style) (for example, '.' means any character and backslashes need to be doubled). File path names in jsaccessfilereadregex
and jsaccessfilewriteregex
must be absolute and use proper delimiters ('/' for UNIX, and '\' for Windows). They are case-sensitive for UNIX and case-insensitive for Windows.
File path names used as parameters to JavaScript functions can still be any legal OS-specific file path names. Absolute and relative path names are allowed as well as the usage of '.' and '..'. On Windows, delimiters can be either '/' or '\', while UNIX only allows '/'. However, path names from JavaScript commands are normalized first (relative paths are made absolute, the '.' and '..' are eliminated, and on Windows '/'s are transformed into '\'s) before they are pattern matched against their corresponding regular expression.
Command line strings in the sysExec() JavaScript function are taken as is and compared to the jsaccesscmdregex
regular expression. The following table lists the strings that are not allowed in the command line run by sysExec(). If administrators need to use any of these strings in the command line, they can put the real command line in a .sh or .bat file, and then run the .sh/.bat file in sysExec() instead. When any JavaScript attempts to run unauthorized commands or use these forbidden strings in the command line run by sysExec(), audit warning messages will be logged in the server log (sm.log). The messages include the commands to be run, and the user’s login name.
Forbidden string in command line | Comment |
---|---|
|| | Logical OR in shell. |
| | The Pipe symbol. |
; | Shell statement ending; the shell interpreter will run the command that follows. |
`` |
A pair of backquotes. The shell interpreter will run the command between `` first, and then insert its STDOUT output to the command line of the outside command. |
&& | Logical AND in shell |
& | Run in the background; the shell interpreter will run the command that follows. |
>> | File appending; it will write to file. |
> | File redirection; it will write to file. |
Valid if set from
Server's operating system command promt
Initialization file (sm.ini)
Requires restart of server?
Yes
Default value
None (Unrestricted file access and command execution)
Possible values
Regular expressions
Example usage
-
jsaccessfilereadregex:C:\\Users\\joe\\Documents\\.+|C:\\SM-Install\\server-dist\\RUN\\(\w)+\.js
Read access is limited to any files under the C:\Users\joe\Documents directory and only for .js files under the C:\SM-Install\server-dist\RUN directory.
-
jsaccessfilewriteregex:^$
Only matches the empty string. This is used to deny all write access to the file system.
-
jsaccesscmdregex:dir .*|copy "C:\\Users\\spinu\\Documents\\SM\\Special Dir\\from\\(\w)+" "C:\\Users\\spinu\\Documents\\SM\\Special Dir\\to\\(\w)+"
Command execution is limited to the "dir" command with any parameters or the "copy" command, but only from a file in the C:\Users\spinu\Documents\SM\Special Dir\from directory to a file in the C:\Users\spinu\Documents\SM\Special Dir\ directory.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to ovdoc-ITSM@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: