In order to secure a repository item descriptor, create a property that stores the ACL for that item. In order to define an owner for an item type, also create a property that stores the owner’s name. For example:

<item-descriptor name="cheese">
  <property name="country" data-type="string" />
  <property name="runniness" data-type="int" />
  <property name="ACL" data-type="string" />
  <property name="cheeseOwner" component-type="user" />

The properties that you add to the underlying repository are identified in the secured repository definition file by these two tags:

<owner-property name="value"/>
<acl-property name="

For example, given the previous example, you update the secured repository’s item-descriptor definition as follows:

<acl-property name="ACL" />
<owner-property name="cheeseOwner" />
ACL property length constraints

The length of an ACL is limited by the amount of space available in the ACL property that is defined in the unsecure (underlying) repository. An overlong ACL generates a repository exception when it is set. This problem can occur when you use the create-group-acl-template in the secured repository definition to define an ACL for the owner’s group, and the owner belongs to many groups.

To avoid this problem, define the ACL property as an array of strings, so the ACL is concatenated from the stored substrings. For example:

<item-descriptor name="cheese">
  <table name="test_items_acls"
    <property name="ACL" column-names="acl" data-type="array"
      <attribute name="maxFragmentSize" value="254"/>

The maxFragmentSize attribute sets the maximum length of a string in any array index. The default value is 254. Set maxFragmentSize to the size of the database string column. For many databases, 254 is the appropriate value for a VARCHAR of unspecified length.