Database Reference
In-Depth Information
Collection
/db/journals/review/nanotechnology
ACL
Target type
ID
Access type
Mode
ACE:0
USER
jasongreen DENIED
-w-
Unix-style permissions
Owner
Group
Mode
admin
editors rwxrwx---
We can modify this configuration to suit our evolving needs. First we create a group
called
trainees
, which will contain all of our newly recruited trainees. We also add
our trainees to the groups for the roles that they will eventually fulfill (e.g.,
editors
).
We then add an ACL to prevent members of the
trainees
group from changing the
collection, while still allowing them the ability to view the collection. Such a configu‐
ration for the
nanotechnology
collection could look like this:
Collection
/db/journals/review/nanotechnology
ACL
Target type
ID
Access type
Mode
ACE:0
USER
jasongreen DENIED
-w-
ACE:1
GROUP
trainees
ALLOWED
r-x
ACE:2
GROUP
trainees
DENIED
-w-
Unix-style permissions
Owner
Group
Mode
admin
editors rwxrwx---
The new ACE at index
1
that we have added allows all trainees read access to the col‐
lection. The new ACE at index
2
prohibits any trainee from writing to the collection.
While without this trainees who are not editors would not be able to write to the col‐
lection, this ensures that all trainees, including any user who is in both the
trainees
group and the
editors
group, cannot write to the collection (otherwise they would
be able to, due to eventual fall through to the Unix-style permissions). This works
because the ACL is evaluated
before
the Unix-style permission, so any user in both
groups will be denied write access due to his membership in the
trainees
group.
Neat, right?
Search WWH ::
Custom Search