Example - NT Security

This example explains the format of an NT-style ACL, describes the security checks performed against the ACL, and then shows how NT security would be configured using the Generic security type.

The ACL is a string of text that specifies who is allowed to view a document. An NT ACL looks like this:

0:U:<users>:G:<groups>:NU:<nousers>:NG:<nogroups>

The ACL begins with a 0 or a 1 (the Everyone flag) and is followed by four sections:

U Allowed users
G Allowed groups
NU Disallowed users
NG Disallowed groups

The <users>, <groups>, <nousers>, and <nogroups> sections each hold comma separated lists of encrypted strings. Each encrypted string holds a username or the name of a group.

When the ACL is processed by IDOL, the disallowed users and groups are always given priority. A user is not allowed to view a document if they are in the list of disallowed users (NU) or if they belong to a group in the list of disallowed groups (NG).

If the user has not been explicitly denied access, the rest of the ACL determines whether they are granted access to a document. If the Everyone flag is 0 they are granted access only if their user name appears in the list of allowed users (U), or if they are in a group that appears in the list of allowed groups (G). If the Everyone flag is 1 the user is granted access, regardless of whether they appear in those lists (U or G).

This process is represented by the following diagram:

In the following example ACL, user1 and user2 are permitted to view the document; user3 is not permitted to view the document. No access rights for any groups are specified:

     0:U:user1,user2:G::NU:user3:NG:

The ACL string must be complete and well-formed. For example, even when no allowed groups are specified the string element G:: must appear in the correct place.

In the IDOL Server configuration file, to configure NT security through the Generic Security Module, the content security section would contain:

     Type=AUTONOMY_SECURITY_V4_GENERIC_MAPPED
     
     SecurityACLFormat=<E=B!>:U:<U=SLE+>:G:<G=SLE+>:NU:<NU=SLE->:NG:<NG=SLE->

     SecurityACLCheck=NU=[DU]?F:-,NG=[DG]?F:-,E=1?P:-,U=[DU]?P:-,G=[DG]?P:F
NOTE:

SLE+ in the example indicates that ACL field U is an Encrypted String List of Positive terms.

The comma-separated values in the SecurityACLCheck parameter are explained in the following table:

NU=[DU]?F:- Compare ACL field disallowed users (NU) to the user (DU). Deny access (F) if there is a match, otherwise continue (-).
NG=[DG]?F:- Compare ACL field disallowed groups (NG) to each of the users group memberships (DG). Deny access (F) if there is a match, otherwise continue (-).
E=1?P:- Compare ACL field everyone (E) to 1. Allow access (P) if matched, otherwise continue (-).
U=[DU]?P:- Compare ACL field allowed users (U) to the user (DU). Allow access (P) if matched, otherwise continue (-).
G=[DG]?P:F Compare ACL field allowed groups (G) to each of the users group memberships (DG). Allow access (P) if matched, otherwise deny access (F).

_HP_HTML5_bannerTitle.htm