Oracle ATG Web Commerce - ACL Syntax

ACL Syntax

ACL strings in Oracle ATG Web Commerce are made up of a series of Access Control Entries (ACEs) separated from each other by semicolons:

ACL ::= ACE [ ';' ACE ]+

Each ACE is made up of colon-delimited parts:

Identity
List of access rights

These can be surrounded by an ACE type specifier that determines whether the ACE grants or denies rights:

ACE ::= ( ( IDENTITY ':' ACCESS_RIGHTS_LIST ) | ( ( "grant" | "deny" ) '{' IDENTITY ':' ACCESS_RIGHTS_LIST '}' ) )

The "grant" modifier is the default, and can be omitted. If a "deny" ACE exists where a "grant" ACE also applies, the standard security policy denies access.

An identity is the literal string used by the User Authority to look up the identity’s Persona. The standard User Authority (/atg/dynamo/security/UserAuthority in Nucleus) encodes the identity as follows:

UD_IDENTITY ::= UD-name '$' principal-type '$' UD-principal-key

UD-name is the name of the User Directory as configured in the User Directory User Authority (usually Admin for the ACC account database, or Profile for the Profile Repository)
principal-type is user, org or role
UD-principal-key is the primary key for looking up the principal in the User Directory. The primary key varies among User Directory implementations. The primary key is a numeric ID for Profile User Directories, but is the account name—for example, admin, administrators-group—for the ACC account User Directory.

Oracle ATG Web Commerce comes configured with three other User Authorities:

/atg/dynamo/security/AdminUserAuthority for looking up ACC accounts
/atg/userprofiling/ProfileUserAuthority for looking up Profile accounts
/atg/dynamo/service/j2ee/J2EEUserAuthority for looking up J2EE accounts and roles.

These user authorities look up Persona information based on the unencoded name of the identity and are typically used for performing authentication. They are, however, front-ends for the standard User Authority and produce Personae that are equivalent to those produced by the standard User Authority. (Note the caveat regarding the mixing of User Authorities in the Create the Secured Repository Definition File: ACLs and Personae topic.)

The list of access rights is a comma-separated list of access right names:

access-right-list ::= access-right [ ',' access-right ]+