Introduction

This article describes how to restrict access to the K2 Designer using Internet Information Services (IIS). Follow the steps below to set up authorization rules in IIS to give specific groups or users permissions to access the K2 Designer.

If you are using K2 Five or later, you can use K2 Designer settings and the Authorization Framework in the K2 Management Site to restrict and manage access. See the Authorization Framework topic in the user guide for more information. If you want to use Internet Information Services (IIS) Manager to restrict access, you need administrative knowledge and permissions in IIS.

Procedure

Use the steps in this topic to restrict access to the K2 Designer to users and groups by adding authorization rules in Internet Information Services (IIS) Manager. Only groups and users which have been granted access will be able to open the K2 Designer site.

In addition to the specific users/roles/groups you want to add to the authorization rules, you also need to add: 

  • All application pool user accounts for the application pools used to run the K2 websites
  • The K2 service user account 
Image

Accessing IIS Authorization Rules

  1. Navigate to Start > All Programs > Administrative Tools > Internet Information Services Manager
  2. In IIS Manager, locate the Designer site and double click the icon Authorization Rules
    Image
  3. Select the Allow All Users rule and click Edit on the right in the Actions section
    Image

Adding Users

  1. Select the option Specified users and type the user name.
    Image
  2. Click OK. The specified user will now be able to access the K2 Designer site.
    Image

Adding Groups

Internet Information Services 8

When you use IIS 8, the GroupSID is required to add a group. Install the AD module for Powershell and run get-ADGroup -Identity "Group_name" to get the GroupSID value. Alternatively, use this Powershell script without installing the AD module to get the GroupSID value.

$objUser = New-Object System.Security.Principal.NTAccount("Domain name", "Group name") $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $strSID.Value

For example

$objUser = New-Object System.Security.Principal.NTAccount("DENALLIX", "Domain Users") $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $strSID.Value
Image
  1. In IIS, select the option Specified roles or user groups then copy and paste the GroupSID from Powershell.
    Image
  2. Click OK.
    Image

Internet Information Services 10

When you use IIS 10, add a group using the DOMAIN\GroupName format as shown below.

  1. In IIS, select the option Specified roles or user groups then provide the DOMAIN\GroupName.
    Image
  2. Click OK.
    Image