ACLs Examples

Table of Contents

• Granting write access to everyone for the entire model
• Granting write access to a group of clients for the entire model
• Granting write access only for a specific element and its children
• Granting write access only for all elements except for a specific element and its children
• Conservative access grants

Granting write access to everyone for the entire model

To grant all authenticated clients write access to all elements, all you need to do is define the following global ACL in the Xentara security configuration file:

Global ACL:

Role	Allow	Deny
Everyone	write	–
Inherit: yes

Granting write access to a group of clients for the entire model

To allow write access to only a group of clients, you must define a role that you can assign to those client. You can, for example, name that role “Operators”. Then, create a global ACL in the Xentara security configuration file grantine write access to all operators:

Global ACL:

Role	Allow	Deny
Operator	write	–
Inherit: yes

Granting write access only for a specific element and its children

To allow write access to only a specific element, you must define an element ACL for that element in the Xentara model file:

ACL for “My.Writable.Element”:

Role	Allow	Deny
Everyone	write	–
Inherit: yes

You can, of course, restrict write access to only a subset of clients by specifying a role other than “Everyone”:

ACL for “My.Writable.Element”:

Role	Allow	Deny
Operator	write	–
Inherit: yes

Granting write access only for all elements except for a specific element and its children

To allow write access to all elements except a specific element, you must first allow write exxecc for everyone using the global ACL in the Xentara security configuration file. You can then remove that access for a specific element by defining an element ACL in the Xentara model file:

Global ACL:

Role	Allow	Deny
Everyone	write	–
Inherit: yes

ACL for “My.Restricted.Element”:

Role	Allow	Deny
Everyone	–	write
Inherit: yes

If you want to retain write access for a specific user role, you can explicitly enable it for that role only:

Global ACL:

Role	Allow	Deny
Everyone	write	–
Inherit: yes

ACL for “My.Restricted.Element”:

Role	Allow	Deny
Everyone	–	write
Administrator	write	–
Inherit: yes

Conservative access grants

If you want complete control over all entitlements, without using the defaults, you can disable inhertance on the global ACL. This will prevent, for example, everyone from having read access by default:

Global ACL:

Role	Allow	Deny
Operator	read, write	–
Inherit: no

This ACL will not inherit the default “allow” disposition for read access. So only operators will have read access.