Secured repositories provide the following control features:

Feature

Description

Control access to repository item descriptors

Control who can create, add, remove, and query items defined by an item descriptor; similar to controlling access to a whole database table.

Control access to individual repository items

Control who can read, write, destroy, and query a repository item.; similar to controlling access to a single database row.

Control access to properties of all repository items in a repository item descriptor

Control who can read or write a property in any repository item defined by an item descriptor; similar to controlling access to a database table column.

A default ACL can be assigned to all items in the item descriptor that lack an explicit ACL.

Control access to properties of an individual repository item

Control who can read or write a particular property in a repository item; similar to controlling the field of a database table row.

An ACL that is assigned to a property overrides the ACL that is specified for that property in the item descriptor definition.

Limit query results

Control who can receive repository items that are returned by a repository query.

Set ownership of a repository item

At creation time, the current user is assigned as the owner of the new repository item. The owner can query a repository item and modify its ACL; otherwise this is simply an association of an identity to an Item.

Automatically generate ACLs for new repository items

When a repository item is created, it is assigned an ACL that is constructed out of an ACL fragment and a template for the creator/owner (creator) and each group the owner belongs to.

These features are configured according to the needs of your application. Some features require additional storage in the underlying repository, or can have a significant impact on performance (see Performance Considerations later in this chapter). Consequently, you should only enable those features that the application requires.

Access rights

Access to secured repositories is managed by building ACLs that associate certain access rights with certain identities—individual users, as well as groups, organizations, and roles that are associated with multiple users. The following table lists access rights that apply to the secured repository system.

Note: Not all access rights are available in all implementations or instances of a secured repository.

Action/targets

Access right

CREATE RepositoryItem
Descriptor

Create a repository item with an item descriptor.

Note: Adding a new item to the repository also requires WRITE access to the same RepositoryItemDescriptor.

DELETE RepositoryItem
Descriptor

Remove items of this RepositoryItemDescriptor type.

Note: Deleting an item also requires DESTROY access to that Item.

DESTROY RepositoryItem

Remove the repository item from the repository and destroy its contents.

Note: Most secured repositories also require DELETE access to the item’s RepositoryItemDescriptor.

LIST RepositoryItem

Query a repository item. LIST access is required in order for queries to return this repository item. An item’s owner implicitly has LIST access.

READ RepositoryItemDescriptor
RepositoryItem
Property

Enable read access to items of this RepositoryItemDescriptor type; or to the specified repository item; or to the specified item property.

READ_ACL
RepositoryItem

Inspect the ACL of a repository item. This access right is implicitly granted to the repository item’s owner.

READ_OWNER
RepositoryItem

Inspect the owner of a repository item.

WRITE
RepositoryItemDescriptor
RepositoryItem
Property

Enable addition of items of this RepositoryItemDescriptor type; or updates to the contents of the specified repository item or the specified item property.

Note: WRITE access to an item descriptor only enables addition of repository items; it does not allow updates to repository items.

WRITE_ACL
RepositoryItem

Change the ACL of a repository item. This access right is implicitly granted to the repository item’s owner.

WRITE_OWNER
RepositoryItem

Change the owner of a repository item.

Note: Securing a repository does not provide complete security within an application: the unprotected repository that it overlays is still available within the Nucleus name space, so it remains available to developers. The Oracle ATG Web Commerce Control Center can be configured to hide unprotected repositories, and an application can choose not to use an unprotected repository, so as not to expose unprotected data to end users.


Copyright © 1997, 2013 Oracle and/or its affiliates. All rights reserved. Legal Notices