Database Reference
In-Depth Information
access to
CollectionA
would allow you to add an access control entry (ACE; dis‐
cussed in the next section) to the ACL for
CollectionA
, which would prevent that
group from accessing it. This is much easier to manage.
Of course, most things that can be done with ACLs can also be done by subdividing
permissions—that is, by creating new groups, adding users to them, and applying
them with specific modes to individual resources and collections. However, the prob‐
lem with that approach is that, with even a fairly simple system, you can quickly end
up with a vast proliferation of small groups that are not only hard to name, but also
hard to manage because you will need to remember why you applied these subdivi‐
ded groups of users to various resources and collections.
When eXist evaluates the permissions of a resource or collection to
determine whether to allow or deny access,
the ACL is evaluated
before its Unix-style permissions
. If the ACL is empty, or does not
explicitly allow or deny access, then the Unix-style permissions are
evaluated.
Simply put, the ACL can override the Unix-style permissions,
which is where its power is derived from.
Access Control Entries
Access control lists are composed of access control entries. The ACL of a resource or
collection is considered empty if it has no ACEs; otherwise, it may have up to 255
ACEs. When you consider that each ACE may reference a group of users, this gives
you a lot of scope for assigning permissions to resources.
An ACE is made up of several fields that describe the access rights to the resource to
which the ACL belongs, as shown in
Table 8-9
.
Table 8-9. ACE fields
ACE field
Description
Target type
Indicates to the ACE whether the ID is that of a
USER
or
GROUP
.
ID
The identifier of the target; that is, the ID of the user or group.
Access type
The type of access applied to the target, either
ALLOWED
or
DENIED
.
Mode
The access mode of the target to the resource or collection. Three octets (e.g.,
rwx
).
So, as we can see from the table, the nice thing about ACEs in ACLs is that they not
only allow (
ALLOWED
) us to grant access to a resource or collection, but they also allow
us to explicitly deny (
DENIED
) access.
The ordering of ACEs in an ACL is critically important.
Search WWH ::
Custom Search