About Access Control List Authorization
The Access Control List, or ACL, allows you to set specific permissions for users and roles. A permission relates to an action the user is allowed to perform, such as a read or write.
The Netscape Application Server comes with default permissions, but you can also create your own application specific permissions and ACLs. The information in an ACL is used by the application through the isAuthorized( ) method. You name the ACL when you create it and this name is passed into future calls to the isAuthorized( ) method. When this method is called, the application can verify the permissions of the current user or role for the action the user is attempting.
For example, a segment of an AppLogic object might perform a read action. Before this segment of code is executed, the application developer can verify that the current user or role has read permissions. When the isAuthorized( ) method is called, the Netscape Application Server checks the local registry to verify that the current ACL name has this user as a member and that the user has read permission.
If a user does not have a certain permission, the application developer can proceed to the next logical step for either exiting the user from the application, allowing them to re-login, or directing them to a different part of the application. That is determined by the application developer and can be implemented through the GXR files or through the Netscape Application Server Administrator.
About Groups
Rather than adding individual users and roles as members to the ACL, it is recommended that you create groups to which users and roles belong and add only groups to the ACL. This is useful if you are using individual user based security rather than role based security.
This saves the administration maintenance of updating users and roles in the ACL when users and roles change. For example, if you have created users for an Intranet application, and a user leaves the company, you only need to remove that user from the appropriate group or groups, as opposed to removing the user from the groups and any ACLs.
|
Previous
