cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Restricting users' access to Coldfusion datasource

ademd90752149
New Here ,
Feb 18, 2025 Feb 18, 2025

Hi,

There are two different databases on the same server (MSSQL) with a Coldfusion datasource added. How can I restrict access to these databases for two different developers who are developing with Coldfusion? Both users have file systems at a level that only they can access.

For example, only user x can access database a. User y can access database b. User x, who has access to database a, can access the database that he/she does not have permission to by typing

 

<cfquery name="GetAll" datasource="b{coldfusion datasource that he/she does not have permission to}">

...

</cfquery>

Is there a way to prevent this?

TOPICS
Database access , Server administration
183
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Charlie Arehart Community Expert
Community Expert , Feb 20, 2025 Feb 20, 2025

Yes: that would require you enabling and configuring the ColdFusion "Sandbox Security" feature. While it would be nice if I could leave it at that and point you to some single good resource, but sadly none exists. 

 

It's a feature that been around forever, but few use it--and while I did an overview 20+ years ago, I never updated it (part 1 and part 2). The concepts all apply.

 

But there are some gotchas that have tripped up some.  I'll point you to a more recent forum reply (in the Lucee foru

...
Translate
replies 3 Replies 3
latest latest Jump to latest reply
Charlie Arehart Community Expert
Community Expert ,
Feb 20, 2025 Feb 20, 2025

Yes: that would require you enabling and configuring the ColdFusion "Sandbox Security" feature. While it would be nice if I could leave it at that and point you to some single good resource, but sadly none exists. 

 

It's a feature that been around forever, but few use it--and while I did an overview 20+ years ago, I never updated it (part 1 and part 2). The concepts all apply.

 

But there are some gotchas that have tripped up some.  I'll point you to a more recent forum reply (in the Lucee forums, but discussing this CF Sandbox Security feature), where I offered more details and other resources:

https://dev.lucee.org/t/lucee-sandbox-security/13394/5

 

As you may explore the feature, note this (which I indicate there): while it used to be in cf Enterprise only, that changed with cf11. Many resources fail to acknowledge that, which has discouraged scared many from using it. (There was a more limited variant in Standard before then, called Resource Security. That was replaced with the full sandbox security feature in 11.) 

 

Finally, there is discussion of it buried within this large single doc page on using the cf admin:

https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html#...

 

I hope to do a post soon bringing together this info and some more to help people considering it. Until then hope the above helps. Or you can ask more here. Also, I can help directly via remote screenshare consulting (carehart.org/consulting), if you want to accelerate that implementation. 


/Charlie (troubleshooter, carehart. org)
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ademd90752149
New Here ,
Feb 20, 2025 Feb 20, 2025
In Response To Charlie Arehart

Hi Charlie,

Thank you very much for your answer and detailed information. I defined two different directories in Coldfusion Sandbox Security. One is the real environment (C:\W3\PROD) and the other is the test environment (C:\W3\TEST). I limited the required datasource permissions for each directory and some extra CFTag etc. parameters for the test environment. As a result,

 

The code and output that runs in the test environment.

       ademd90752149_2-1740082477522.png
 
ademd90752149_0-1740081396587.png

If I use a datasource belonging to a real environment that I am not authorized in the code in the test directory,

ademd90752149_1-1740081595326.png

 

This really works. Of course, I will need to do some tests. In particular, I will need to examine the methods such as accessing the directories belonging to the real environment with coding in the test environment. After the tests, we will continue the applications with Coldfusion with different developers.

 

Best regards!

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Charlie Arehart Community Expert
Community Expert ,
Feb 20, 2025 Feb 20, 2025
LATEST
In Response To ademd90752149

Great to hear, and happy to have helped. Yep, you'll almost certainly have more configuration of the sandbox to do. Again, the resources I shared will offer more detail--some beyond what can be discerned form the ui there. 🙂

 

BTW, could you mark my first reply as the "answer"? That helps future readers of the thread. 


/Charlie (troubleshooter, carehart. org)
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices