Open topic with navigation
This example explains the format of an NT-style ACL, describes the security checks performed against the ACL, and then shows how NT security would be configured using the Generic security type.
The ACL is a string of text that specifies who is allowed to view a document. An NT ACL looks like this:
The ACL begins with a 0 or a 1 (the Everyone flag) and is followed by four sections:
<nogroups> sections each hold comma separated lists of encrypted strings. Each encrypted string holds a username or the name of a group.
When the ACL is processed by IDOL, the disallowed users and groups are always given priority. A user is not allowed to view a document if they are in the list of disallowed users (NU) or if they belong to a group in the list of disallowed groups (NG).
If the user has not been explicitly denied access, the rest of the ACL determines whether they are granted access to a document. If the Everyone flag is 0 they are granted access only if their user name appears in the list of allowed users (U), or if they are in a group that appears in the list of allowed groups (G). If the Everyone flag is 1 the user is granted access, regardless of whether they appear in those lists (U or G).
This process is represented by the following diagram:
In the following example ACL,
user2 are permitted to view the document;
user3 is not permitted to view the document. No access rights for any groups are specified:
The ACL string must be complete and well-formed. For example, even when no allowed groups are specified the string element
G:: must appear in the correct place.
In the IDOL Server configuration file, to configure NT security through the Generic Security Module, the content security section would contain:
Type=AUTONOMY_SECURITY_V4_GENERIC_MAPPED SecurityACLFormat=<E=B!>:U:<U=SLE+>:G:<G=SLE+>:NU:<NU=SLE->:NG:<NG=SLE-> SecurityACLCheck=NU=[DU]?F:-,NG=[DG]?F:-,E=1?P:-,U=[DU]?P:-,G=[DG]?P:F
SLE+ in the example indicates that ACL field
U is an Encrypted String List of Positive terms.
The comma-separated values in the
SecurityACLCheck parameter are explained in the following table:
||Compare ACL field disallowed users (
||Compare ACL field disallowed groups (
||Compare ACL field everyone (
||Compare ACL field allowed users (
||Compare ACL field allowed groups (