A user can create an application using the create, provision, import or migrate operations. Likewise, a global catalog can be created using the create, import or migrate operations. When a user creates an application or a global catalog its ACL is created with that user as the owner and providing that user full access level rights.
When an application is copied by a user, the newly created application ACL preserves the entries of the original application ACL, and the copying user is made the owner. The copying user is not explicitly granted full access level rights on the resulting application, but this user can give himself such rights by modifying the ACL of the new object.
By default object ACLs entries are not preserved during export, import or migration; however, command line options exist which make this possible.
Preserving ACL entries during export can be accomplished using the --preserve_acl, --preserve_local_acl or --preserve_global_acl options. These options cause the ACL entries, or selected portions of the ACL entries, to be exported with the object.
Preserving ACL entries during migration or import can be accomplished using these same --preserve_acl, --preserve_local_acl or --preserve_global_acl options. During migrate or import, the requested ACL entries are only preserved if their principal IDs correspond to valid principals on the grid on which the new object is created. From this it follows that to preserve global user or global group entries in the ACL, the grid on which the object is created must use the global directory service which maintains these global users and groups. In the case of a local principal entry, the principal ID must also correspond to an existing local principal on the grid. Note that when a local user or local group is created, it is assigned a random ID. Because of this, two local users named John on two different grids will have different IDs. As a result, John on one grid cannot be preserved as an ACL entry when migrating an object to the other grid because John on the other grid has a different ID. Currently, the only local principals whose IDs can be preserved among grids are the implicit local group all and the local group admin. Only these two local principals have the same ID on different grids. Of course, if you export and then import an object on the same grid, then other local principal entries can be preserved too.
When these options are used during migrate or import the ACL of the resulting object is otherwise created normally. For example, the executing user becomes the owner of the new object and is granted full access level rights.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|