Using CA AppLogic® › Grid Administration Guide › Role-Based Access Control › Managing New Object ACL Creation

Managing New Object ACL Creation

CA AppLogic® 3.1.x introduces the ability to manage new object ACL creation. The owner and principal entries of a newly created object ACL can be determined by user or by group. This allows for considerable flexibility in managing access to newly created objects. New object ACL management introduces the following concepts:

New object ACL definition - a new object ACL definition can be associated to a particular user or group. The new object ACL definition is identical in form to an object ACL. It is comprised of owner and a list of entries where each entry is comprised of a principal and a corresponding access level. Each extant user and group may, or may not, have an associated new object ACL definition. If the new object ACL definition is associated to a user, then the owner must be either that user or a group (or empty). If the new object ACL definition is associated to a group, then the owner must be a group (or empty).

Primary group - a primary group is a user profile property which indicates that group which can be used to determine the new object ACL for the corresponding user. A user's primary group can be set when creating the user or by using the user set command. If a user's primary group has not been explicitly set, then it defaults to the implicit local group all.

When a user creates, migrates or imports a new application or global catalog, the ACL of the new object is created as follows:

1. If the executing user has an associated new object ACL definition, then use this definition to determine the new object ACL.
2. Otherwise, if the executing user’s primary group has an associated new object ACL definition, then use this definition to determine the new object ACL.
3. Otherwise, make the executing user the owner of the new object and provide this user full access level rights.

A new object ACL definition is used to determine the contents of a new object ACL as follows:

1. Determine the owner in the ACL:
   • If the new object ACL definition has a user defined as the owner, and this user is the executing user, then make the executing user the owner in the new ACL.
   • Otherwise, if the new object ACL definition has a group defined as the owner, and this group includes the executing user as a member, then make this group the owner in the new ACL.
   • Otherwise make the executing user the owner in the new ACL.
2. Determine the list of entries in the ACL:
   • Include each entry from the new object ACL definition in the new ACL.
   • Provide the executing user full access in the new ACL if the user is not otherwise provided full access (either explicitly or through group membership). This over-rides an entry in the new object ACL definition for the executing user if it exists.

When a user copies an existing application, the ACL of the copy is created as follows:

• The owner is determined as described above for object creation.
• The principal entries of the original ACL are copied intact. None of these entries are modified and no new entries are added.

New object ACL management introduces a number of new CLI utilities and modifies several existing utilities as follows:

user set and user create

These commands introduce a new option: group=<group>[,<group>]* The group option can be used to set a user’s primary group and to add the user as a member to local groups as follows:

• The user is added as a member to each local group on the list.
• The user’s primary group is set to the first group on the list.
• Only the first group on the list may be a global group.

  user info
  

This commands is modified to display the user’s primary group and, if it exists, the new object ACL definition associated to the user.

user get_newobj_acl

Display the new object ACL associated to a user.

user put_newobj_acl

Replace the new object ACL associated to a user.

user modify_newobj_acl

Modify the new object ACL associated to a user.

group info and group get

These commands are modified to display the new object ACL definition associated to a group if it exists.

group get_newobj_acl

Display the new object ACL associated to a group.

group put_newobj_acl

Replace the new object ACL associated to a group.

group modify_newobj_acl

Modify the new object ACL associated to a group.

The following examples illustrate typical use cases for managing new object ACL creation:

1. To manage new object ACL creation such that object access mimics the behavior of CA AppLogic® versions 2.9.x and earlier, create a new object ACL definition for the implicit local group all as follows:
   • The owner is the implicit local group all.
   • The list of entries provides the implicit local group all full access level rights.

   By default each user’s primary group is the implicit local group all. In this example each time a user creates a new object it is owned and fully accessible by everyone.

2. To manage a single user’s new object ACL creation, create a new object ACL definition for that particular user.
3. To manage a group of users new object ACL creation, set the primary group for each user to a particular group and create a new object ACL definition for that group.
4. To manage all users new object ACL creation, create a new object ACL definition for the implicit local group all. This affects each user whose primary group is the implicit local group all and which does not have a new object ACL definition associated to itself.