ACLs and How they are evaluated

Access Control Lists(ACL) are made up of the individual permissions (ACE’s (Access control enteries)) and are used to determine the order in which these permissions are actually applied.

An AccessControlEntry (ACE) represents the association of one or more Privilege objects with a specific Principal.

A standard installation of a CRX repository is configured to use resource-based access control lists.

Resource-based ACLs

That means that a resource = node is associated with a list of allow/deny entries for certain principals (users or groups), which naturally maps to store them along the JCR node.

ACLs and How They Are Evaluated

• Allow rights have higher precedence than deny rights.
• Group principals are evaluated in order, both within the hierarchy and order within a single access control list ie on the same node (CONCURRENT).
• This list is then scanned bottom-up until the first appropriate permission to apply to a page is found.

Concurrent (on the same node) Permission on ACL

• The permission created first in user admin is added to the node first (1st ACE) and then the next permission is added below it (2nd ACE). 
• This list is then scanned bottom-up until the first appropriate permission to apply to a page is found. 

EXAMPLE 1. 

Suppose, you have the following ACL for the same resource under /content/geometrixx/

en/products.

If a user is part of the two groups ‘allowed-it’ and ‘restricted-it’, you can see that the

access to the page products is denied because the ACL deny in read access is the rule

at the bottom.

EXAMPLE 2.

            

Now, if the order of the ACL is the opposite, a user, part of two groups, allowed-it and
restricted-it, will have access /to the products page (because the ACL allow in read access
is the rule at the bottom).

Continue reading : Acl setup service