Policy Server Guides › Policy Server Configuration Guide › Implementing Policy-based Security › Strategies for Managing Security and Users › Access Control Lists
Access Control Lists
An access control list is an object associated with a resource that defines access privileges for individual users or groups of users. ACLs are associated with resources to establish:
- Who can access a resource
- What type of access the user has
ACLs provide a straightforward way of granting or denying a specified user or groups of users access to a resource. For example:
The access control list above assigns users in the manager group complete access, users in the clerk group read-only access, and users in all other groups no access to the resource.
Several drawbacks are associated with ACLs:
- Controlling a user's interaction with a resource once the user is authorized and authenticated is difficult. For example, you cannot use ACLs to define session timeouts.
- Managing ACLs for large numbers of resources can be prohibitively time consuming and costly. ACLs create a significant administrative burden.
- Profiling user information is difficult. Users are added to ACLs, which are then associated with resources, making it difficult to determine all of the resources a user has access to at any given moment.
- Qualifying access rights is difficult. It's virtually impossible to restrict access based on a time or a location.
- Personalizing content and defining responses is difficult. If a user has access to a resource, it's difficult to personalize the content or define what happens when the user is allowed or denied access. For instance, you can't use an ACL to display or hide a set of buttons when the user accesses the resource.
ACLs are an effective way to protect a resource but an ineffective way to manage the user experience.