# Configuring Amazon DCV authorization
Authorization is used to grant or deny Amazon DCV clients permissions to specific Amazon DCV features. In Amazon DCV, authorization is configured using a *permissions file*. The permissions file defines the specific Amazon DCV features that are available to specific users when they connect to a session.
Amazon DCV supports two types of permissions files:
**Topics**
+ [
## Default permissions file
](#security-authorization-default)
+ [
## Custom permissions file
](#security-authorization-custom)
+ [
# Understanding permissions files
](security-authorization-file-create.md)
## Default permissions file
If you don't specify a custom permissions file when creating a session, the default permissions file is used for all sessions. The default permissions file grants only the session owner full access to all features.
You can customize the default permissions file to include custom authorizations. The default permissions file is located in `C:\Program Files\NICE\DCV\Server\conf\default.perm` on Windows Amazon DCV servers and `/etc/dcv/default.perm` on Linux and macOS Amazon DCV servers.
For information about customizing the default permissions file, see [Understanding permissions files](security-authorization-file-create.md).
## Custom permissions file
You can use a custom permissions file to define the features that specific users or groups have access to when they connect to a Amazon DCV session. When you use a custom permissions file, you override the default permissions file.
To use a custom permissions file, you must first create the permissions file. Next, specify it when you start the session using the `--permissions-file` option with the `dcv create-session` command. For more information about starting sessions, see [Starting Amazon DCV sessions](managing-sessions-start.md).
For information about creating a custom permissions file, see [Understanding permissions files](security-authorization-file-create.md).
# Understanding permissions files
You can create a custom permissions file or update an existing permissions file using your preferred text editor. A permissions file typically takes the following format:
```
#import file_to_import
[groups]
group_definitions
[aliases]
alias_definitions
[permissions]
user_permissions
```
The following sections explain how to populate the sections when updating or creating a permissions file.
**Topics**
+ [
# Importing a permissions file
](security-authorization-file-create-import.md)
+ [
# Creating groups
](security-authorization-file-create-group.md)
+ [
# Creating aliases
](security-authorization-file-create-alias.md)
+ [
# Adding permissions
](security-authorization-file-create-permission.md)
# Importing a permissions file
The `imports` section is typically the first section of the permissions file. You can use this section to reference and include existing permissions files. You can also use it to incorporate previously defined Amazon DCV permissions into your permissions file.
A permissions file can include multiple imports. An imported permissions file might import other permissions files.
**To import a permissions file into your permissions file**
+ Use the `#import` statement and specify the location of the file with an absolute or a relative path
+ Windows Amazon DCV server:
```
#import ..\file_path\file
```
+ Linux Amazon DCV server:
```
#import ../file_path/file
```
**Example**
The following statement imports a permissions file named `dcv-permissions.file` using an absolute path. It's located in the Amazon DCV installation folder on a Windows Amazon DCV server.
```
#import c:\Program Files\NICE\DCV\dcv-permissions.file
```
# Creating groups
You can use `[groups]` section of the permissions file to define user groups for users that have similar use cases or permissions requirements. Groups can be assigned specific permissions. Permissions assigned to a group apply to all of the users that are included in the group.
To create groups in your permissions file, you must first add the groups section heading to the file.
```
[groups]
```
You can then create your groups under the section heading. To create a group, provide the group name, and then specify the group members in a comma-separated list. Group members can be individual users, other groups, and operating system user groups.
```
group_name=member_1, member_2, member_3
```
**To add a user to a group**
Specify the user name.
**Note**
You can prefix the user name with `user:`. Windows domain user names can include a domain name.
```
group_name=user_1, user:user_2, domain_name\user_3
```
**To add an existing group to a group**
Specify the group name prefixed with `group:`
```
group_name=group:group_1, group:group_2
```
**To add an operating system user group to a group (Linux Amazon DCV servers only)**
Specify the group's name prefixed with `osgroup:`
```
group_name=osgroup:os_group_1, osgroup:os_group2
```
**Example**
The following example adds the groups section heading and creates a group that's named `my-group`. This group includes individual users. They're named `john` and `jane`. One of them is an existing group that's named `observers`. The other is an operating system user group that's named `guests`:
```
[groups]
my-group=john, user:jane, group:observers, osgroup:guests
```
# Creating aliases
You can use the `[aliases]` section of the permissions file to create sets of Amazon DCV features. After an alias was defined, you can grant or deny groups or individual users permissions to use it. Granting or denying permissions to an alias grants or denies permissions to all of the features that are included in it.
To create aliases in your permissions file, you must first add the aliases section heading to the file.
```
[aliases]
```
You can then create your aliases under the section heading. To create an alias, provide the alias name, and then specify the alias members in a comma-separated list. Alias members can be individual Amazon DCV features or other aliases.
```
alias_name=member_1, member_2, member_3
```
**Example**
The following example adds the aliases section heading and creates an alias that's named `file-management`. It includes the `file-upload` and `file-download` features and an existing alias that's named `clipboard-management`.
```
[aliases]
file-management=file-upload, file-download, clipboard-management
```
# Adding permissions
The `[permissions]` section of the permissions file lets you control user and group access to specific features or aliases.
To add permissions to your permissions file, first add the permissions section heading to the file.
```
[permissions]
```
You can then add your permissions under the section heading. To add a permission, specify the actor that it governs, the rule to be applied, and the features that it applies to.
```
actor rule features
```
The actor can be a user, a group, or an operating system group. Groups must be prefixed with `group:`. Operating system groups must be prefixed with `osgroup:`. Amazon DCV includes a built-in `%owner%` reference that can be used to refer to the session owner. It can also be used to refer to a built-in `%any%` reference that can be used to refer to any user.
The following rules can be used in permissions statements:
+ `allow` — Grants access to the feature.
+ `disallow` — Denies access to the feature, but can be overridden by subsequent permissions.
+ `deny` — Denies access to the feature and cannot be overridden by subsequent permissions.
The features can include individual Amazon DCV features, aliases, or a combination of both. The list of features must be separated by a space. Amazon DCV includes a built-in `builtin` alias that includes all of the Amazon DCV features.
The following features can be referenced in the permissions file:
+ `audio-in` — Insert audio from the client to the Amazon DCV server.
+ `audio-out` — Play back Amazon DCV server audio on the client.
+ `builtin` — All features.
+ `clipboard-copy` — Copy data from the Amazon DCV server to the client clipboard.
+ `clipboard-paste` — Paste data from the client clipboard to the Amazon DCV server.
+ `display` — Receive visual data from the Amazon DCV server.
+ `extensions-client` — Allows to start the installed extensions on the Amazon DCV client.
+ `extensions-server` — Allows to start the installed extensions on the Amazon DCV server.
+ `file-download` — Download files from the session storage.
+ `file-upload` — Upload files to the session storage.
+ `gamepad` — Use gamepads connected to a client computer in a session. Supported on version Amazon DCV 2022.0 and later.
+ `keyboard` — Input from the client keyboard to the Amazon DCV server.
+ `keyboard-sas` — Use the secure attention sequence (**CTRL\$1Alt\$1Del**). Requires the `keyboard` feature. Supported on version Amazon DCV 2017.3 and later.
+ `mouse` — Input from the client pointer to the Amazon DCV server.
+ `pointer` — View Amazon DCV server mouse position events and pointer shapes. Supported on version Amazon DCV 2017.3 and later.
+ `printer` — Create PDFs or XPS files from the Amazon DCV server to the client.
+ `screenshot` — Save a screenshot of the remote desktop. It's supported on version Amazon DCV 2021.2 and later.
When removing `screenshot` authorization, we recommended that you disable the `clipboard-copy` permission. This prevents users from capturing screenshots on the clipboard of the server and then pasting them on the client. When the `screenshot` authorization is denied, Windows and macOS will also prevent external tools from capturing a screenshot of the client. For example, using the Windows Snipping Tool on the Amazon DCV client window will result in a black image.
+ `smartcard` — Read the smart card from the client.
+ `stylus` — Input from specialized USB devices, such as 3D pointing devices or graphic tablets.
+ `touch` — Use native touch events. Supported on version DCV 2017.3 and later.
+ `unsupervised-access` — Use to set owner-less access of users in a collaborative session.
+ `usb` — Use USB devices from the client.
+ `webcam` — Use the webcam connected to a client computer in a session. Supported on version Amazon DCV 2021.0 and later.
+ `webauthn-redirection` — Redirect Webauthn requests from the remote browser to a local client. Supported on version Amazon DCV 2023.1 and later.
**Example**
The following example adds the permissions section heading and adds four permissions. The first permission grants a user named `john` access to the `display`, `file-upload`, and `file-download` features. The second permission denies the `observers` group access to the `audio-in` and `audio-out` features, and the `clipboard-management` feature alias. The third permission grants the `guests` operating system group access to the `clipboard-management` and `file-management` aliases. The fourth permission grants the session owner access to all features.
```
[permissions]
john allow display file-upload file-download
group:observers deny audio-in audio-out clipboard-management
osgroup:guests allow clipboard-management file-management
%owner% allow builtin
```