A security policy determines whether a user has access to a particular object. In an Oracle ATG Web Commerce application, the standard security policy is in Nucleus at /atg/dynamo/security/SecurityPolicy. This instance of the atg.security.StandardSecurityPolicy object provides the following policy:
If no ACL is defined for an object, access is allowed.
If the accessor is the owner of an object, access is allowed if the desired access privilege is
LIST,READ_ACL, orWRITE_ACL. This approach makes the object’s security information modifiable if the ACL become corrupted.If the ACL for the object has a
deny(or negative) access privilege that applies to the user, access is denied even if other permissions are positive.If the ACL for the object has an
allow(or positive) access privilege that applies to the user, access is allowed as long as there is not a correspondingdeny.If no ACL entries apply to the user, access is denied.
Note: This policy differs slightly from the java.security.acl policy, where a combination of positive and negative ACL entries with the same Principal negate each other, providing no change to the access control for that Principal. This differentiation is deliberate; in no case should an explicit deny access control entry be ignored.
