ACL strings in ATG are made up of a series of Access Control Entries (ACEs) separated from each other by semicolons:

ACL ::= ACE [ ';' ACE ]+

Each ACE is made up of colon-delimited parts:

These can be surrounded by an ACE type specifier that determines whether the ACE grants or denies rights:

ACE ::= (
  ( ( "grant" | "deny" ) '{' IDENTITY ':' ACCESS_RIGHTS_LIST '}' )

The "grant" modifier is the default, and can be omitted. If a "deny" ACE exists where a "grant" ACE also applies, the standard security policy denies access.

An identity is the literal string used by the User Authority to look up the identity’s Persona. The standard User Authority (/atg/dynamo/security/UserAuthority in Nucleus) encodes the identity as follows:

UD_IDENTITY ::= UD-name '$' principal-type '$' UD-principal-key


ATG comes configured with three other User Authorities:

These user authorities look up Persona information based on the unencoded name of the identity and are typically used for performing authentication. They are, however, front-ends for the standard User Authority and produce Personae that are equivalent to those produced by the standard User Authority. (Note the caveat regarding the mixing of User Authorities in the Create the Secured Repository Definition File: ACLs and Personae topic.)

The list of access rights is a comma-separated list of access right names:

access-right-list ::= access-right [ ',' access-right ]+

loading table of contents...