Secure your lower environments to avoid accidental use from external users. Somehow, a user was able to place an order in preproduction which led me to create this add-on. I know I could create a visitor group and filter the site by IP, but I decided to explore another alternative to give more options like whitelisting specific paths, enabling/disabling restrictions, or implementing other future improvements.
Why Use the OptiAccess Restrictor Add-on?
With OptiAccess Restrictor, you can:
- Prevent unauthorized users from accessing sensitive parts of the CMS.
- Restrict access based on IP addresses.
- Whitelist specific paths.
How It Works
The OptiAccess Restrictor add-on allows administrators to whitelist IPs through an intuitive interface. By default, the add-on is disabled, ensuring that you have the opportunity to whitelist your IP before activating it. This prevents accidental lockouts.
Additionally, some key paths are automatically whitelisted (such as /episerver and /util/login), allowing access for essential functionality. However, administrators have full control to modify or remove these paths based on security requirements.
Users will see the following view when trying to access a restricted page:
Key Features
1. IP Whitelisting
Administrators can whitelist specific IP addresses to ensure that only authorized users have access to the CMS.
2. Role-Based Access Control
With role-based policies, you can define which user roles (e.g., WebAdmins, Developers) can access the add-on.
3. Secure Storage of Configuration
The add-on uses DDS (Dynamic Data Store) to store configuration data.
4. Granular Path Restrictions
By default, paths like /episerver these are whitelisted, but administrators can customize or remove these rules if stricter security is needed.
Installation & Configuration
Step 1: Install and Register the Add-on
To install add the following NuGet package to your solution:
Install-Package Verndale.Restrictor
To enable the OptiAccess Restrictor, add the following to your Startup.cs file:
public void ConfigureServices(IServiceCollection services)
{
services.AddRestrictor();
}
Step 2: Configure Access Policies
For more granular control, define role-based access policies:
services.AddRestrictor(authorizationOptions =>
{
authorizationOptions.AddPolicy("AdminOnly", policy =>
{
policy.AddAuthenticationSchemes(OptimizelyIdentityDefaults.SchemeName);
policy.RequireRole("WebAdmins");
});
});
Step 3: Apply the Restrictor Middleware
To prevent accidental lockouts in production, apply the middleware only in lower environments:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (!env.IsProduction())
{
app.UseRestrictor();
}
}
Best Practices When Using OptiAccess Restrictor
- Whitelist Your IP Before Enabling the Add-on – This prevents accidental lockouts from the CMS.
- Modify Default Whitelisted Paths If Needed – If
/episerverand/util/loginshould be restricted, adjust the configuration accordingly.
PowerBuilder 
What’s the protocol if the customer accidentally locks themselves out of Production?
LikeLike
Hi Surjit,
Data is saved in DDS. You can execute a SQL script to disable the add-on. Additionally, you might want to always allow the paths /episerver and /util/login, so you can edit the data rom the CMS.
LikeLike