Access Control Lists(ACL) are made up of the individual permissions (ACE’s (Access control enteries)) and are used to determine the order in which these permissions are actually applied.
An AccessControlEntry (ACE) represents the association of one or more Privilege objects with a specific Principal.
A standard installation of a CRX repository is configured to
use resource-based access control lists.
Resource-based ACLs
That means that a resource = node is associated
with a list of allow/deny entries for certain principals (users or groups),
which naturally maps to store them along the JCR node.
ACLs and How They Are Evaluated
- Allow rights have higher precedence than deny rights.
- Group principals are evaluated in order, both within the hierarchy and order within a single access control list ie on the same node (CONCURRENT).
- This list is then scanned bottom-up until the first appropriate permission to apply to a page is found.
Concurrent (on the same node) Permission on ACL
- The permission created first in user admin is added to the node first (1st ACE) and then the next permission is added below it (2nd ACE).
- This list is then scanned bottom-up until the first appropriate permission to apply to a page is found.
EXAMPLE 1.
Suppose, you have
the following ACL for the same resource under /content/geometrixx/
en/products.
If a user is part
of the two groups ‘allowed-it’ and ‘restricted-it’, you can see that the
access to the page products is denied because the ACL
deny in read access is the rule
at the bottom.
EXAMPLE 2.
Now, if the order of the ACL is the opposite, a user, part
of two groups, allowed-it and
restricted-it, will have access /to the products page (because the ACL allow in read access
is the rule at the bottom).
restricted-it, will have access /to the products page (because the ACL allow in read access
is the rule at the bottom).
Hi Rahul,
ReplyDeleteVery helpful post !!
But Can you please elaborate with more use cases.
Regards,
Swati Kad
Hi,
ReplyDeleteI am having small doubt. In example#1 ACL allow ia at the bottom so it should be allowed (same as example 2)
In Example 1 Restricted is at the bottom so access will be denied, while in example 2 allowed is at the bottom hence access will be allowed.
Deleteohh ok. i think i had seen example 2 image for example first. thanks
Delete