ACL strings in ATG are made up of a series of Access Control Entries (ACEs) separated from each other by semicolons:
ACL ::= ACE [ ';' ACE ]+
Each ACE is made up of two parts, an identity and a list of access rights, separated by a colon, and optionally surrounded by an ACE type specifier for determining whether the ACE is to grant or deny rights:
ACE ::= (
( IDENTITY ':' ACCESS_RIGHTS_LIST ) |
( ( "grant" | "deny" ) '{' IDENTITY ':' ACCESS_RIGHTS_LIST '}' )
)
The "grant" modifier is the default, and may be omitted. If a "deny" ACE exists where a "grant" ACE also applies, the standard security policy will deny access.
An identity is the literal string used by the User Authority to look up the identity’s Persona. The standard User Authority (/atg/dynamo/security/UserAuthority in Nucleus) encodes the identity as follows:
UD_IDENTITY ::= UD_NAME '$' PRINCIPAL_TYPE '$' UD_PRINCIPAL_KEY
where UD_NAME is the name of the User Directory as configured in the User Directory User Authority (usually either Admin for the ACC account database or Profile for the Profile Repository), PRINCIPAL_TYPE is one of user, org or role, and UD_PRINCIPAL_KEY is the primary key for looking up the principal in the User Directory. The primary key varies between User Directory implementations. The primary key is a numeric ID for Profile User Directories, but is the account name (for example, admin, administrators-group) for the ACC account User Directory.
ATG comes configured with three other User Authorities:
/atg/dynamo/security/AdminUserAuthorityfor looking up ACC accounts/atg/userprofiling/ProfileUserAuthorityfor looking up Profile accounts/atg/dynamo/service/j2ee/J2EEUserAuthorityfor looking up J2EE accounts and roles.
These user authorities look up Persona information based on the unencoded name of the identity and are typically used for performing authentication. They are, however, front-ends for the standard User Authority and produce Personae that are equivalent to those produced by the standard User Authority. (Note the caveat regarding the mixing of User Authorities in the Writing the Secured Repository Definition File: ACLs and Personae topic.)
The list of access rights is a comma-separated list of access right names:
ACCESS_RIGHT_LIST ::= ACCESS_RIGHT [ ',' ACCESS_RIGHT ]+
