The js-io-rights.conf file contains rules that permit write access to defined directories in the server file system.

Mandatory Content of the js-io-rights.conf File

Each line of the js-io-rights.conf file must contain the following information.

A plus (+) or minus (-) sign to indicate whether rights are permitted or denied

The read (r), write (w), and execute (x) levels of rights

The path on which to apply the rights

Default Content of the js-io-rights.conf File

The default content of the js-io-rights.conf configuration file is:

-rwx c:/

+rwx c:/orchestrator
+rx ../../configuration/jetty/logs/
+rx ../server/vmo/log/
+rx ../bin/
+rx ./boot.properties
+rx ../server/vmo/conf/
+rx ../server/vmo/conf/plugins/
+rx ../server/vmo/deploy/vmo-server/vmo-ds.xml
+rx ../../apps/
+r ../../version.txt

The first two entries in the default js-io-rights.conf configuration file allow the following access rights:

-rwx c:/

All access to the file system is denied.

+rwx c:/orchestrator

Read, write, and execute access is permitted in the c:/orchestrator directory.

Rules in the js-io-rights.conf File

Orchestrator resolves access rights in the order they appear in the js-io-rights.conf file. Each line can override the previous lines.

In the default js-io-rights.conf configuration file, the second line partially overrides the first line because c:/orchestrator is after c:/, which allows read, write, and execute access to c:/orchestrator but denies access to the rest of the file system under c:/.

The default configuration allows workflows and the Orchestrator API to write to the c:/orchestrator directory, but nowhere else.

Important

You can permit access to all parts of the file system by setting +rwx / in the js-io-rights.conf file. However, doing so represents a high security risk.