test

Oracle iPlanet Web Proxy Server 4.0.14 Administration Guide

Authorization Statements

Each ACL entry can include one or more authorization statements. Authorization statements specify who is allowed or denied access to a server resource.

Writing Authorization Statements

Use the following syntax when writing authorization statements:

allow|deny [absolute] (right[,right...]) attribute expression;

Start each line with either allow or deny. Because of the hierarchy of rules, deny access to everyone in the first rule and then specifically allow access for users, groups, or computers in subsequent rules. For example, if you allow anyone access to a directory called /my_files, and allow a few users access to the subdirectory /my_files/personal, the access control on the subdirectory will not work because anyone allowed access to the /my_files directory will also be allowed access to the /my_files/personal directory. To prevent this, create a rule for the subdirectory that first denies access to anyone, and then allows access for the few users who need it.

In some cases, however, if you set the default ACL to deny access to everyone, your other ACL rules do not need a “deny all” rule.

The following line denies access to everyone:

deny (all) user = "anyone";

Hierarchy of Authorization Statements

The hierarchy in ACLs depends on the resource. When the server receives a request for a specific resource, it builds a list of ACLs that apply for that resource. The server first adds named ACLs listed in check-acl statements of its obj.conf file. It then appends matching path and resource ACLs. This list is processed in the same order. Unless “absolute” ACL statements are present, all statements are evaluated in order. If an “absolute allow” or “absolute deny” statement evaluates to “true,” the server stops processing and accepts this result.

If more than one ACL matches, the server uses the last statement that matches. However, if you use an absolute statement, then the server stops looking for other matches and uses the ACL containing the absolute statement. If you have two absolute statements for the same resource, the server uses the first statement in the file and stops looking for other resources that match.


version 3.0;acl "default";authenticate (user,group)
	{ prompt="iPlanet Web Proxy Server";};
	allow (read,execute,list,info) user = "anyone";
	allow (write,delete) user = "all";acl "http://*.*";
	deny (all) user = "anyone";allow (all) user = "joe";

Attribute Expressions

Attribute expressions define who is allowed or denied access based on their user name, group name, host name, or IP address. The following lines provide examples show how access might be granted to different people or computers:

You can also restrict access to your server by time of day based on the local time on the server by using the timeofday attribute. For example, you can use the timeofday attribute to restrict access to certain users during specific hours.

Use 24-hour time to specify times, such as 0400 to specify 4:00 a.m. or 2230 for 10:30 p.m. The following example restricts access to a group of users called guests between 8:00 a.m. and 4:59 p.m.

allow (read) (group="guests") and (timeofday<0800 or timeofday=1700);

You can also restrict access by day of the week. Use the following three-letter abbreviations to specify days of the week: Sun, Mon, Tue, Wed, Thu, Fri, and Sat.

The following statement allows access for users in the premium group any day and any time. Users in the discount group have access all day on weekends, and anytime on weekdays except 8 a.m. through 4:59 p.m.

allow (read) (group="discount" and dayofweek="Sat,Sun") or (group="discount" and (dayofweek="mon,tue,wed,thu,fri" and(timeofday<0800 or timeofday=1700)))or (group="premium");

Operators for Expressions

Various operators can be used in attribute expressions. Parentheses delineate the operator order of precedence. The following operators can be used with user, group, dns, and ip:

The following operators can be used with timeofday and dayofweek: