Database Reference
In-Depth Information
The ACEs in an ACL are evaluated in order from the start of the list to the bottom of
the list. The first ACE in an ACL that both matches a user directly (or indirectly, as a
member of a group) and matches the requested access mode will be applied, and the
evaluation of permissions will halt.
Consider an ACL with two ACEs in the following order:
1. Prevents a group of users (
GroupA
) from accessing a resource
2. Allows a user (
UserA
) from that group (
GroupA
) access to the resource
Once the ACL is applied, the user
UserA
will not be allowed access to the resource. If
you want that user to have access to the resource, you should swap the order of the
ACEs in the ACL.
ACLs by Example
It is perhaps easiest to explain ACLs by giving some concrete examples of how they
might be used, and explaining the results of various configurations.
Allowing additional access
With the Unix-style permissions in eXist, you can only control access to a resource
by the owner, a group of users, and all other users who are not the owner or within
that group of users.
Imagine that you work for a small organization in the publishing industry. You have
a security group of users who are
content editors
already configured in eXist, and that
group has write access to many collections in the database, where each collection rep‐
resents a different journal. However, one day, one of the editors is in an accident and
will be away from the office for several weeks. During this time Bob Smith has to pick
up that editor's work on the
Medical Neuroscience Journal
.
Currently, the
Medical Neuroscience Journal
collection is configured as follows:
Collection Owner Group Mode
/db/journals/review/medical-neuroscience
admin editors rwxrwx---
So how do we allow Bob Smith to do his temporary editing work on the
medical-
neuroscience
collection? There are several possible approaches:
• We could add Bob Smith to the
editors
group.
Unfortunately, we may then have unintentionally given him access to other jour‐
nal collections in the database, causing a security risk!
Search WWH ::
Custom Search