Access Control for Connection Services
The connection access control section in the ACL properties file contains access control rules for the broker’s connection services. The syntax of connection access control rules is as follows:
connection.resourceVariant. access.principalType= principals
Two values are defined for resourceVariant: NORMAL and ADMIN. These predefined values are the only types of connection services to which you can grant access.
The default ACL properties file gives all users access to NORMAL connection services and gives users in the group admin access to ADMIN connection services:
connection.NORMAL.allow.user=* connection.ADMIN.allow.group=admin
If you are using a file-based user repository, the default group admin is created by the User Manager utility. If you are using an LDAP user repository, you can do one of the following to use the default ACL properties file:
-
Define a group called admin in the LDAP directory.
-
Replace the name admin in the ACL properties file with the names of one or more groups that are defined in the LDAP directory.
You can restrict connection access privileges. For example, the following rules deny Bob access to NORMAL but allow everyone else:
connection.NORMAL.deny.user=Bob connection.NORMAL.allow.user=*
You can use the asterisk (*) character to specify all authenticated users or groups.
The way that you use the ACL properties file to grant access to ADMIN connections differs for file-based user repositories and LDAP user repositories, as follows:
-
File-based user repository
-
If access control is disabled, users in the group admin have ADMIN connection privileges.
-
If access control is enabled, edit the ACL file. Explicitly grant users or groups access to the ADMIN connection service.
-
- © 2010, Oracle Corporation and/or its affiliates