Oracle Internet File System Setup and Administration Guide Release 1.1 A81197-05 |
|
This chapter provides information on setting up user, folder, and document security. Topics include:
Security for all objects, including folders and files, is maintained through Access Control Lists (ACLs) and Access Control Entries (ACEs). An ACL has a name and a set (one or more) of ACEs.
There are four system ACLs for you to apply to your documents and folders. These ACLs cover the most common security needs in most shared environments. The system ACLs are listed and described in the table below.
All objects may have an associated ACL. If no ACL is assigned, the object is PRIVATE (only the owner has full access to it). If a default ACL is specified in a user's Primary User Profile, that ACL is assigned to the new public object created by that user.
Similar to files, ACLs have an ACL associated with them to manage the users who can use them or modify them. System ACLs can be created and modified by system administrators only.
Each ACE is comprised of a:
For each user or group, you need to decide which of the permission bundles will be granted to them. Permission bundles are sets of permissions that are applied to users. The set of permission bundles assigned to a specific user or group is called an Access Control Entry (ACE).
ACLs give you the flexibility to grant the permission bundles your co-workers require while helping to protect your files against accidental modification or unauthorized access.
By setting the permission bundles for an individual or group, you create an Access Control Entry (ACE) in your Access Control List (ACL). It's possible to create a different ACE for every user in your Oracle iFS repository for every file you control, but, in most cases, the standard ACLs that come with Oracle iFS should meet your needs, and the remaining cases can be handled by creating an ACL.
When you define an ACE, the first choice you must make is whether the ACE you're creating is going to grant the permission bundles you select, or revoke them. If you are going to give only a few permission bundles to a selected user or group, choose Grant, and select only the permission bundles that they will be given. If you are going to give the selected user or group general access with only a few restrictions, choose Revoke. Then explicitly grant those permission bundles to the grantee.
A permission bundle is a collection of permissions. Permission bundles are convenient because you do not have to specify the individual permissions. For example, the permission bundle, "All," is a collection of permissions which grants all possible permissions. A permission bundle can be granted to a user or group, or revoked from a user or group. Oracle iFS Manager, the Web interface, and the Windows interface support ACLs and ACEs with permission bundles.
The following table lists the permission bundles used in Oracle iFS and the permissions they contain. The ClassCreate and ClassRestrictedCreation permission bundles are used exclusively for ACLs associated with class objects and are also known as ClassAccessControlLists.
The permissions bundled in the above permission bundles are listed and defined in the table below. "Item" can be either a file or directory, unless stated otherwise.
Oracle iFS only allows the creation of new permission bundles using XML.
Groups and ACLs provide a powerful mechanism for managing access to objects. Assume a group is defined as a grantee in an ACE. If the group membership is changed, either by adding or deleting a member, those changes are reflected automatically in access to the object. If the group is granted permissions on an object and a new member is added to the group, that new member automatically has access to the object the on which the group has permission. The order of the ACEs is significant. The ACL is resolved in the order of the ACEs.
Users can also be specified as a grantee in an ACE. For example, if the user "jsmith" is part of the group "ifsdev." The ACL results in everyone in "ifsdev" having full access, except "jsmith," who cannot delete the object.
Grantee | Permission Bundle | Grant or Revoke |
---|---|---|
IFSDEV |
Read |
Grant |
JSMITH |
Delete |
Grant |
Note: If the order of the grantees is reversed, the ACL in the example above would resolve to "jsmith" having only DELETE permissions. |
Each user has a Primary User Profile. One of the attributes of this profile is a set of default ACLs. These ACLs determine the default ACL associated with all objects the user creates. Default ACLs can be:
Default ACLs are used at the time an object is created, unless the creator specifies a different ACL. The ACL can be changed at any time after the object has been created.
When an object has no ACL, the owner and administrator have access to it. Therefore, it is strongly recommended that a Primary User Profile with the default ACLs specified is created for each user. Creating a user with Oracle iFS Manager, the Web interface, or XML creates a user profile with the following default ACLs:
If you want to create a batch of ACLs, use the Create Like option. This creates an ACL similar to an existing ACL, which you can then customize. To apply an ACL, to a file or folder, use the Web or the Windows interface.
Note: You do not need administrative permissions to define ACLs, therefore, users can also define ACLs. |
To create a custom ACL:
Each of the users or groups you selected can have a separate set of ACEs associated with it. For each, select Grant to grant the permission bundles you select. If Grant is not selected, the permission bundles you select are revoked from that user or group. Scroll right to see all of the available permission bundles.
For more information on creating and applying ACLs, see "Using the Windows Interface to Apply an ACL".
To modify ACLs, use the Detail View on the Oracle iFS Manager. To display the ACL you want to modify:
To delete an ACL, select the ACL to be deleted and do one of the following:
Confirm the delete operation by selecting Yes in the confirmation dialog box.
To apply an ACL to a file or folder:
A success message displays to tell you that the ACL has been applied to the items.
To apply an ACL to a file or folder:
Click Apply or OK to associate the ACL with the file or folder.
Through XML, you can create an ACL using the existing permission bundles. In addition, you can also create your own custom permission bundle. Once you have created your own permission bundle, you can use Oracle iFS Manager, the Web interface, or XML to create ACLs using the custom permission bundle.
To create your own custom permission bundle:
<PermissionBundle> <Name> MyPermissionBundle </Name> <AccessLevel> <Discover> true </Discover> <GetContent> true </GetContent> <SetContent> false </SetContent> </AccessLevel> </PermissionBundle>
To create an ACL using the custom permission bundle:
<AccessControlList> <Name> MyAcl </NAME> <Description> Custom ACL using custom permission bundle </Description> <ACEs> <AccessControlEntry> <Grantee classname='directorygroup' Reftype="name"> ifsdev </Grantee> <Active> true </Active> <Granted> true </Granted> <PermissionBundles> <PermissionBundle Reftype='name'> MyPermissionBundle </PermissionBundle> </PermissionBundles> </AccessControlEntry> </ACEs> </AccessControlList>
|
Copyright © 2000 Oracle Corporation. All Rights Reserved. |
|