In many cases, it may not be appropriate or desirable for all users in your organization to be able to view, create, or delete all types of assets. The Business Control Center uses Access Control Lists (ACLs) to manage asset security and determine the operations that a given user can perform on an asset. ACLs are described in detail in the Secured Repositories chapter of the ATG Repository Guide. In general terms, the mechanism works as follows: in the XML definition file of the secured repository that is used to manage the assets, there is an optional ACL setting for each item descriptor that represents a type of asset. This setting is the default security policy for all assets (repository items) of that type. The <descriptor-acl> tag contains a string specifying the user directory principals that have access to that item type and the level of access each principal has.
The following example shows the default security policy for ATG Personalization assets, which is defined in <ATG9>\Publishing\base\config\atg\epub\file\publishingFileSecurity.xml:
<!-- fileFolder security attributes --> <item-descriptor name="fileFolder"> <acl-property name="acl"/> <descriptor-acl value=" Profile$role$epubSuperAdmin:read,write,create,delete; Profile$role$epubAdmin:read,write,create,delete; Profile$role$epubManager:read,write,create,delete; Profile$role$epubUser:read,write,create,delete; Admin$role$administrators-group:read,write,create,delete; Admin$role$everyone-group:read;"/> </item-descriptor> <!-- targeter security attributes --> <item-descriptor name="targeter"> <acl-property name="acl"/> <descriptor-acl value=" Profile$role$epubSuperAdmin:read,write,create,delete; Profile$role$epubAdmin:read,write,create,delete; Profile$role$epubManager:read,write,create,delete; Profile$role$epubUser:read,write,create,delete; Admin$role$administrators-group:read,write,create,delete; Admin$role$everyone-group:read;"/> </item-descriptor> <!-- profileGroup security attributes --> <item-descriptor name="profileGroup"> <acl-property name="acl"/> <descriptor-acl value=" Profile$role$epubSuperAdmin:read,write,create,delete; Profile$role$epubAdmin:read,write,create,delete; Profile$role$epubManager:read,write,create,delete; Profile$role$epubUser:read,write,create,delete; Admin$role$administrators-group:read,write,create,delete; Admin$role$everyone-group:read;"/> </item-descriptor> <!-- contentGroup security attributes --> <item-descriptor name="contentGroup"> <acl-property name="acl"/> <descriptor-acl value=" Profile$role$epubSuperAdmin:read,write,create,delete; Profile$role$epubAdmin:read,write,create,delete; Profile$role$epubManager:read,write,create,delete; Profile$role$epubUser:read,write,create,delete; Admin$role$administrators-group:read,write,create,delete; Admin$role$everyone-group:read;"/> </item-descriptor>
You can set access rights for a role or an organization, in which case the rights are inherited by any user who is assigned to that role or organization (as shown in the example above). You can also set access rights for individual user profiles. When a user attempts to work with an asset in the Business Control Center, the secured repository is checked for access rights on the item the user is trying to manipulate.
As well as setting the default access rights for an asset type through the repository definition file, you can define access rights for individual assets through the Security tab in the Business Control Center. These rights replace the default security policy for that asset. This type of access control can be implemented for the following assets:
Individual user segments, content groups, and content targeters. For example, assume you have a content targeter that shows content to all users who have registered at your sites within the last month. You can set security access on that targeter so that it can be deleted or modified only by someone with a Marketer role.
Folders that contain user segments, content groups, or targeters. Controlling access to a folder gives you an efficient way to manage access for all items in that folder. For example, you could have a folder called New Members that contains all the content targeters set up for new site members. Then you could set access rights for that folder so that it can be viewed only by users with a specific role. Note, however, that users may still be able to view an asset contained in a folder by querying for it directly through a search field.
If your Web sites use Merchandising, you can define access control for additional asset types, for example products, SKUs, and pricelists.
You can specify the following access rights for assets:
Access right | Description |
|---|---|
Create | Controls whether a user can create new instances of an asset type. This right cannot be set through the Security tab in the Business Control Center. You can set it only by modifying the ACL in the definition file for the secured repository used to store the assets. By default, the file used for content targeters, user segments, and content groups is |
List | Controls whether this item appears as the result of a query, for example in the Browse tab. In the Default Security Policy, List access is implied if the principal has Read access. |
Read | Allows a user to view (but not edit or delete) the properties of this item. |
Write | Allows a user to edit an item. |
Delete | Allows a user to remove this item from the repository. In Business Control Center terms, this means that the user can add the asset to a project for the purposes of deleting it from the system. |
View Owner | Corresponds to READ-OWNER in the Access Control List. Not currently used in the Business Control Center UI. |
Set Owner | Corresponds to WRITE-OWNER in the Access Control List. Not currently used in the Business Control Center UI. |
View Access Rights | Controls the ability to view the access control list for this item. If a user does not have this access right, the Security tab does not appear. (This access right is automatically granted to the owner of the item.) Corresponds to READ-ACL in the Access Control List. |
Set Access Rights | Controls the ability to change the access rights for this item through the Security tab. (This access right is automatically granted to the owner of the item.) Corresponds to WRITE-ACL in the Access Control List. |
