# Environment boundaries
<a name="permission-profiles-environment-boundaries"></a>

Environment boundaries allow Research and Engineering Studio (RES) administrators to configure permissions that will take effect globally for all users. This includes permissions such as **File Browser and SSH permissions**, **Desktop Permissions**, and **Desktop advanced settings**. 

![\[environment boundaries\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-environment-boundaries.png)


# Configuring File browser access
<a name="configuring-file-browser-access"></a>

RES Administrators can toggle **Access data** on or off under **File browser permissions**. If **Access data** is turned off, users will not see **File Browser** navigation in their web portal and cannot upload or download data attached to their global file system. When **Access data** is enabled, users have access to **File Browser** navigation in their web portal which allows them to upload or download data that is attached to their global file system.

![\[environment boundaries\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-disabled.png)


When the **Access data** feature is turned on and then later turned off, users who are already logged in to the web portal will be unable to upload or download files, even if they are on the corresponding page. Additionally, the navigation menu will disappear when they refresh the page.

# Configuring SSH access
<a name="configuring-ssh-access"></a>

Administrators can enable or disable SSH for the RES environment from the **Environment boundaries** section. SSH Access to VDIs is facilitated through a bastion host. When you activate this toggle, RES deploys a bastion host and makes the SSH Access Instructions page visible for users. When you deactivate the toggle, RES disables SSH access, terminates the bastion host and removes the SSH access instructions page for users. This toggle is deactivated by default.

**Note**  
When RES deploys a bastion host it adds a `t3.medium` Amazon EC2 instance in your AWS account. You are responsible for all charges associated with this instance. See the [ Amazon EC2 pricing page](https://aws.amazon.com/ec2/pricing/on-demand/) for more information.

**To enable SSH access**

1. In the RES console, on the left navigation pane, choose **Environment Management**, then **Permission Policy**. Under **Environment boundaries** select the **SSH access** toggle.  
![\[Permission policy page under environment management in the admin console\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-disabled.png)

1. Wait for SSH access to be enabled.  
![\[Advisory banner appears on the permission policy page under environment management in the admin console\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-enable-ssh.png)

1. Once the Bastion host is added, SSH access is enabled.  
![\[Permission policy page under environment management in the admin console\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-enabled.png)

   The **SSH Access Instructions** page is visible to users from their left navigation pane.  
![\[SSH access instructions page showing steps for Linux and Windows\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-enabled2.png)

**To disable SSH access**

1. In the RES console, on the left navigation pane, choose **Environment Management**, then **Permission Policy**. Under **Environment boundaries** select the **SSH access** toggle.  
![\[Permission policy page under environment management in the admin console\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-enabled.png)

1. Wait for SSH access to be disabled.  
![\[A banner shows SSH access is being disabled on the Permission policy page\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-disable-ssh.png)

1. Once the process is complete, SSH access is disabled.  
![\[Permission policy page showing SSH access disabled\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-disabled.png)

# Configuring Desktop Permissions
<a name="configuring-desktop-permissions"></a>

Administrators can toggle **Desktop permissions** on or off to globally manage the VDI functionality of all session owners. All of these permissions, or a subset, can be used to create **Desktop sharing profiles** that determine which actions the users with whom a desktop is shared can perform. If any desktop permission is disabled, this will automatically disable the corresponding permissions in the **Desktop sharing profiles**. These permissions will be labeled as "Disabled Globally". Even if the administrator enables this desktop permission again, the permission in the desktop sharing profile will remain disabled until the administrator manually enables it.

![\[environment boundaries\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-environment-boundaries.png)