File API Enhancements
The latest release of the IIS Administration API introduced monitoring endpoints for users to measure the health and performance of their web server, but that was not the only new feature added. The 2.2.0 release features another major improvement which is a new configuration endpoint for the files API.
The IIS Administration API provides the capability to perform multiple file system operations including creating, editing, deleting, copying, and moving files. These capabilities were discussed in a previous blog post. All file system API operations are limited to a set of root folders that are configured within the API's application settings. These root folders also affect IIS configuration operations that pertain to the file system such as specifying the directory of a new web site or changing the directory of log files. If the desired folder does not fall into an allowed root folder the IIS configuration operation can not be performed.
The files API has been enhanced to include a new endpoint at /api/files/locations that allows the API's root folders to be configured. This means administrators no longer need to dive into the appsettings.json file to configure what sections of the file system are accessible from the API.
Integration Into manage.iis.net
The experience for adding new file system locations to the API has been consolidated into the file explorer section of https://manage.iis.net. Adding new locations, also called root folders, allows new areas of the file system to be accessed from the API. This can be used on arbitrary folders, drives, and even network shares. The GIF below demonstrates adding a new root folder that points to %SystemDrive%\temp (Which resolves to c:\temp in this case). The %SystemDrive% temp folder already exists on the machine, and once the root folder is added, the API can begin to access it.
Security Constraints
The new endpoint at /api/files/locations is only accessible by users who are in the owners user group as specified in the API's application settings. The API runs under the system account, so in most cases when it is given access to a part of the file system it will be able to do as it pleases. Thus, the capability to add and remove root folders should be limited to users with the highest privileges on the machine. By default the only user who is in the owners user group is the user who installed the IIS Administration API.
For more information on how the security settings are configured for the IIS Administration API refer to the documentation at https://docs.microsoft.com/en-us/iis-administration/configuration/appsettings.json#security.