Sun Java System Instant Messaging 7.2 Administration Guide

Managing Policies Using Access Control Files

By editing access control files you control the following end-user privileges:

By default, end users are provided the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. For most deployments, default values do not need to be changed.

Although certain privileges can be set globally, the administrator can also define exceptions for these privileges. For example, the administrator can deny certain default privileges to select end users or groups.

In addition, if you are enforcing policy through access control files in your deployment, those files must be the same for all servers in a server pool.

Table 17–2 lists the global access control files for Instant Messaging and the privileges these files provide end users.

Table 17–2 Access Control Files

ACL File  

Privileges  

sysSaveUserSettings.acl

Defines who can and cannot change their own preferences. Users who do not have this privilege cannot add contacts, create conferences, etc. 

sysTopicsAdd.acl

Defines who can and cannot create News channels. 

sysRoomsAdd.acl

Defines who can and cannot create Conference rooms. 

sysSendAlerts.acl

Defines who can and cannot send alerts. Disabling sysSendAlerts also disables polls.

sysWatch.acl

Defines who can and cannot watch changes of other end users. The Instant Messenger window is displayed for end users who do not have this privilege allowing “conference and news channel subscription and non-subscription” only. 

sysAdmin.acl

Reserved for administrators only. This file sets administrative privileges to all Instant Messaging features for all end users. This privilege overrides all the other privileges and gives the administrator the ability to create and manage conference rooms and news channels as well as access to end user presence information, settings, and properties. 

ProcedureTo Change End-user Privileges in Access Control Files

  1. Change to the im-cfg-base/acls directory.

    See Instant Messaging Server Directory Structure for information on locating im-cfg-base.

  2. Edit the appropriate access control file.

    For example:


    vi sysTopicsAdd.acl
    

    See Table 17–2 for a list of access control files.

  3. Save the changes.

  4. End users need to refresh the Instant Messenger window to see the changes.

Using Access Control Files in a Server Pool

If you are enforcing policy through access control files in your deployment, the content of the files must be the same for all servers in a server pool. To ensure this, copy the files from one server to each of the other nodes in the pool. See Access Control File Location for information on finding these files.

Access Control File Location

The location of the access control files is im-cfg-base/acls. Where im-cfg-base is the configuration directory. See Instant Messaging Server Directory Structure for information about the default location of the configuration directory.

Access Control File Format

The access control file contains a series of entries that define the privileges. Each entry starts with a tag as follows:

The tag is followed by a colon (:). In case of the default tag it is followed by true or false.

End-user and group tags are followed by the end-user or group name.

Multiple end users and groups are specified by having multiple end users (u) and groups (g) in lines.

The d: tag must be the last entry in an access control file. The server ignores all entries after a d: tag. If the d: tag is true, all other entries in the file are redundant and are ignored. You cannot set the d: tag as true in an access control file and selectively disallow end users that privilege. If default is set to false, only the end users and groups specified in the file will have that particular privilege.

The following are the default d: tag entries in the ACL files for a new installation:


Caution – Caution –

The format and also the existence of all the access control files might change in future releases of the product.



Note –

Disabling sysSendAlerts also disables polls.



Example 17–1 sysTopicsAdd.acl File

In the following example, the d: tag entry for sysTopicsAdd.acl file is false. Therefore, the Add and the Delete news channels privileges are available to the end users and groups that appear before the d: entry, namely user1, user2, and the sales group.


# Example sysTopicsAdd.acl file
u:user1
u:user2
g:cn=sales,ou=groups,o=siroe
d:False