Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

An ACL (Access Control List) provides restrictions on who can access a particular configuration item.

When a process initiated by the user attempts to access a restricted item (which is anything with an ACL attached) the groups that the user belongs are checked against the ACL to determine if the user should be given access to the item. See Security for details on how the groups that a user belongs to is determined.

...

An ACL provides a list of groups that can either be denied access or allowed access and are processed linearly until there is a match that positively denies or grants approval. Also, there is a special group, anonymous, that can be used to allow or deny access to users that are not logged in anonymously.

Additionally, ACL's can reference other ACL's to provide a hierarchy with recursive checking performed to determine accessibility.

...

ACL's can be setup either in-line, that is included directly in the item they're guarding access to, or can configured individually and referenced by an item.IMPORTANT NOTE

Info
titleImportant Note

THERE IS NO ACCESS CONTROL AT ALL UNLESS AT LEAST ONE ACL IS DEFINED

This means that a default installation will provide no access control to any items until at least one ACL is defined, even if it's just default.acl.

...

Code Block
xml
xml
linenumberstrue
<!-- Allow access to anyone as default, then restrict the important stuff -->
<!-- If no ACL is specified or none of the specified ACL's produce a match -->
<!-- then acl.default will be used -->
<acl:acl id="acl.default">
        <entry type="allow">*</entry>
</acl:acl>

<!-- Only adminsusers with the ROLE_ADMINISTRATOR role get access to 'private' stuff -->
<!-- everyone else is explicitly denied -->
<acl:acl id="private">
        <entry type="allow">ROLE_ADMINISTRATOR</entry>
        <entry type="deny">*</entry>
</acl:acl>

<!-- adminsROLE_ADMINISTRATOR and usersROLE_USER get access to 'internal' stuff -->
<acl> 
<!-- everyone else is explicitly denied --><acl:acl id="internal">
        <entry type="allow">ROLE_ADMINISTRATOR</entry>
        <entry type="allow">ROLE_USER</entry>
        <entry type="deny">*</entry>
</acl:acl>

<!-- everyone gets access to roads and property -->
<entity:entity id="road">
        <label>Road</label>
</entity:entity>

<entity:entity id="property">
        <label>Property</label>
</entity:entity>

<!-- users matching the 'internal' acl get access to rates -->
<entity:entity id="rates">
        <label>Rates</label>
        <acl:acl id="internal"/>
</entity:entity>

<!-- users matching the 'private' acl get access to uers -->
<entity:entity id="users">
        <label>Users</label>
        <acl:acl id="private"/>
</entity:entity>

Deny access to everything then add access, most secure option, but a lot of work to ensure you attach an acl ACL to everything

Code Block
xml
xml
linenumberstrue
<!-- Set deny as default, but now we have to make sure we set access explicitly for everything -->
<!-- we don't really need to do this since it happens as soon as we create an ACL, but for completeness... -->
<acl:acl id="acl.default">
        <entry type="deny">*</entry>
</acl:acl>

<!-- Create a private ACL, but fall back to acl.default -->
<!-- ROLE_ADMINISTRATOR will be allowed -->
<!-- anyone else will fall back to acl.default -->
<acl:acl id="private">
        <entry type="allow">ROLE_ADMINISTRATOR</entry>
</acl:acl>
acl> 

<!-- Create an internal ACL, but fall back to acl.default -->
<!-- ROLE_ADMINISTRATOR and ROLE_USER will be allowed -->
<!-- anyone else will fall back to acl.default -->
<acl:acl id="internal">
        <entry type="allow">ROLE_ADMINISTRATOR</entry>
        <entry type="allow">ROLE_USER</entry>
</acl:acl>

<acl:acl id="anyone">
        <entry type="allow">*</entry>
</acl:acl>

<!-- now we have to explicitly grant access to roads and property -->
<entity:entity id="road">
        <label>Road</label>
        <acl:acl id="anyone"/>
</entity:entity>

<entity:entity id="property">
        <label>Property</label>
        <acl:acl id="anyone"/>
</entity:entity>

<entity:entity id="rates">
        <label>Rates</label>
        <acl:acl id="internal"/>
</entity:entity>

<entity:entity id="users">
        <label>Users</label>
        <acl:acl id="private"/>
</entity:entity>