Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Allow access to everything then remove access, this is the easiest setup but a mistake could allow access to restricted information

Code Block
xml
xml
linenumberstruexml
<!-- Allow access to anyone as default, then restrict the important stuff -->
<!-- If no ACL is specified or none of the specified ACL's produce a match -->
<!-- then acl.default will be used -->
<acl:acl id="acl.default">
        <entry type="allow">*</entry>
</acl:acl>

<!-- Only users with the ROLE_ADMINISTRATOR role get access to 'private' stuff -->
<!-- everyone else is explicitly denied -->
<acl:acl id="private">
        <entry type="allow">ROLE_ADMINISTRATOR</entry>
        <entry type="deny">*</entry>
</acl:acl>

<!-- ROLE_ADMINISTRATOR and ROLE_USER get access to 'internal' stuff --> 
<!-- everyone else is explicitly denied --><acl:acl id="internal">
        <entry type="allow">ROLE_ADMINISTRATOR</entry>
        <entry type="allow">ROLE_USER</entry>
        <entry type="deny">*</entry>
</acl:acl>

<!-- everyone gets access to roads and property -->
<entity:entity id="road">
        <label>Road</label>
</entity:entity>

<entity:entity id="property">
        <label>Property</label>
</entity:entity>

<!-- users matching the 'internal' acl get access to rates -->
<entity:entity id="rates">
        <label>Rates</label>
        <acl:acl id="internal"/>
</entity:entity>

<!-- users matching the 'private' acl get access to uers -->
<entity:entity id="users">
        <label>Users</label>
        <acl:acl id="private"/>
</entity:entity>

Deny access to everything then add access, most secure option, but a lot of work to ensure you attach an ACL to everything

Code Block
xml
xml
linenumberstruexml
<!-- Set deny as default, but now we have to make sure we set access explicitly for everything -->
<!-- we don't really need to do this since it happens as soon as we create an ACL, but for completeness... -->
<acl:acl id="acl.default">
        <entry type="deny">*</entry>
</acl:acl>

<!-- Create a private ACL, but fall back to acl.default -->
<!-- ROLE_ADMINISTRATOR will be allowed -->
<!-- anyone else will fall back to acl.default -->
<acl:acl id="private">
        <entry type="allow">ROLE_ADMINISTRATOR</entry>
</acl:acl> 

<!-- Create an internal ACL, but fall back to acl.default -->
<!-- ROLE_ADMINISTRATOR and ROLE_USER will be allowed -->
<!-- anyone else will fall back to acl.default -->
<acl:acl id="internal">
        <entry type="allow">ROLE_ADMINISTRATOR</entry>
        <entry type="allow">ROLE_USER</entry>
</acl:acl>

<acl:acl id="anyone">
        <entry type="allow">*</entry>
</acl:acl>

<!-- now we have to explicitly grant access to roads and property -->
<entity:entity id="road">
        <label>Road</label>
        <acl:acl id="anyone"/>
</entity:entity>

<entity:entity id="property">
        <label>Property</label>
        <acl:acl id="anyone"/>
</entity:entity>

<entity:entity id="rates">
        <label>Rates</label>
        <acl:acl id="internal"/>
</entity:entity>

<entity:entity id="users">
        <label>Users</label>
        <acl:acl id="private"/>
</entity:entity>

Recommended default acl usage example for internal Weave instance

Code Block
xml
xml
linenumberstruexml
	<acl:acl id="acl.default">
		<!-- Setup the default acl so that users have to be logged in before they can access the system by denying access to anonymous users -->
		<entry type="deny">anonymous</entry>
		<!-- but still provide access to everything that hasn't explicitly been denied with other acl's -->
		<entry type="allow">*</entry>
	</acl:acl>

	<!-- Attach this acl to items that only planners should have access to -->
	<acl:acl id="planners">
		<entry type="allow">ROLE_PLANNERS</entry>
		<entry type="deny">*</entry>
	</acl:acl>

	<!-- Attach this acl to items that only engineers should have access to -->
	<acl:acl id="engineers">
		<entry type="allow">ROLE_ENGINEERS</entry>
		<entry type="deny">*</entry>
	</acl:acl>