File System

The security.fileSystem node sets where applications can open and save files. It is built on a trust level that defines the overall posture, refined by allow/block path lists and by virtual shares surfaced in the file-transfer panel.

Editor File System accordion  ·  JSON security.fileSystem

Trust levels

The trustLevel enum uses camelCase values in the JSON. It is the one required property of this node.

ValueFile-system posture
disposableMaximum-restricted kiosk. Ephemeral working area; nothing persists beyond the session.
noTrustSession folder only. Most restrictive persistent mode; users work through controlled, browser-native dialogs.
lowTrustLimited access to a constrained set of locations (Public / User Documents), extendable with allowed paths.
fullTrustUnrestricted file-system access; appropriate only for trusted users and applications.

For the security rationale behind each level, see Trust Levels.

Properties

PropertyTypeDefaultNotes
trustLevel *enumnoTrust, lowTrust, fullTrust, disposable. Required.
allowedPathsstring[][]Additional permitted paths. Applies to lowTrust / fullTrust only; the editor greys this out for noTrust / disposable.
blockedPathsstring[][]Explicitly blocked paths (blacklist), added on top of the global baseline.
virtualSharesobject[][]Named server locations shown in the file-transfer panel (see below).

Virtual shares

Each entry in virtualShares publishes a server-side location into the file-transfer panel.

PropertyTypeDefaultNotes
name *stringDisplay name in the panel.
path *stringServer file-system path.
access *enumReadOnly or ReadWrite.
filtersstring"*.*"Pipe-separated extension filters, e.g. *.txt|*.log.
enabledbooleantrueWhether the share is active.
groupsstring[]IAM group IDs allowed to see this share. Omit or leave empty for everyone.

Sample

"fileSystem": {
  "trustLevel": "lowTrust",
  "allowedPaths": ["C:\\Workspaces\\Shared"],
  "blockedPaths": [],
  "virtualShares": [
    {
      "name": "Public Documents",
      "path": "C:\\Users\\Public\\Documents",
      "access": "ReadWrite",
      "filters": "*.*",
      "enabled": true,
      "groups": []
    }
  ]
}

How open and save behave

When an application opens a file dialog, WebStream redirects it to a browser-native experience governed by the policy. The trust level and any path rules determine which locations are visible and whether saving is permitted. From the user's point of view, opening and saving feel native — see Opening & Saving Files.

A browser-native save dialog presented under policy control.
app.config.xml override

The trust level overrides the global <trust><level> default when present; with no policy, the global level applies. blockedPaths is unioned with the global <filesystemRestrictions><defaultBlockedPaths> baseline (policy can add, not remove), and <protectedPaths> are never unblocked even if a policy lists them. The master switch <filesystemRestrictions><enabled> is a gate: if disabled, no NTFS ACL enforcement happens at all. When a policy supplies virtualShares, that list replaces any shares defined in app.config.xml.

Warning

Start restrictive and open up only where a workflow requires it. Granting fullTrust broadly removes most of the file-handling controls that make browser delivery safer than raw RDP.