Docroot and File Permission Configuration

The Docroot configuration options include the docroot and file permissions. The absolute path, or docroot, is the area of the file system that is accessible to an Aspera transfer user. The default empty value allows access to the entire file system. You can set one global docroot and then further restrict access to the file system by group or individual user.

Important Configuration Notes:

  • The default server configuration gives users full access to the server's file system with read, write, and browse privileges. Aspera strongly recommends setting a global docroot that is an empty folder and setting global file permissions to false. For a compilation of server security best practices, see Configuring Shares Security.
  • Some Aspera features require a docroot in URI format or require a file restriction instead of a docroot. For more information, see Docroot vs. File Restriction.
  1. Open HST Server with root privileges.
  2. Click Configuration > Docroot.

    Bring up the Server Configuration window

    Docroot configuration options.

  3. Edit Global, Groups, and Users settings on their Docroot tabs. Select Override in the option's row to set an effective value. User settings take precedence over group settings, which take precedence over global settings.

    Aspera recommends setting restrictive Global settings, as described in the following table, and then granting permissions for specific Groups or Users.

Docroot Settings Reference

Field Description Values Default
Absolute Path The absolute path, or docroot, is the area of the file system that is accessible to an Aspera transfer user. The default empty value allows access to the entire file system. You can set one global docroot and then further restrict access to the file system by group or individual user. Docroot paths require specific formatting depending on where the transfer server's storage is located.
Format examples
  • Local storage absolute path:/home/aspera424/movies

    Or using a placeholder for usernames: /home/$(name)

  • Local storage in URI format: file:////home/bear/movies

    URI format is required for server-side encryption-at-rest, but is not supported by the Aspera Watch Service.

  • Cloud or on-premises object storage: see Setting Docroots for Object Storage and HDFS.

Aspera recommends setting a global docroot to an empty folder or a part of the file system specific to each user. If there is a pattern in the docroot of each user, for example, /sandbox/username, you can use a substitutional string. This allows you to assign an independent docroot to each user without setting it individually for each user. See Setting Up Users for information.

You can also set multiple docroots and make them conditional based on the IP address from which the connection is made by editing aspera.conf. To do so, edit the absolute path setting by adding the IP address using the following syntax:
<absolute peer_ip="ip_address">path</absolute>
 file path or URI undefined (total access)
Read Allowed Set to true (default) to allow users to transfer files and folders from their docroot.
  • true
  • false
 true
Write Allowed Set to true (default) to allow users to transfer files and folders to their docroot.
  • true
  • false
 true
Browse Allowed Set to true (default) to allow users to browse their docroot.
  • true
  • false
 true