ACL strings in The Oracle Commerce Platform are made up of a series of Access Control Entries (ACEs) separated from each other by semicolons:
ACL ::= ACE [ ';' ACE ]+
Each ACE is made up of colon-delimited parts:
Identity
List of access rights
These can be surrounded by an ACE type specifier that determines whether the ACE grants or denies rights:
ACE ::= (
( IDENTITY ':' ACCESS_RIGHTS_LIST ) |
( ( "grant" | "deny" ) '{' IDENTITY ':' ACCESS_RIGHTS_LIST '}' )
)
The "grant"
modifier is the default, and can be omitted. If a "deny"
ACE exists where a "grant"
ACE also applies, the standard security policy denies access.
An identity is the literal string used by the User Authority to look up the identity’s Persona. The standard User Authority (/atg/dynamo/security/UserAuthority
in Nucleus) encodes the identity as follows:
UD_IDENTITY ::=
UD
-name
'$'
principal
-
type
'$'
UD
-
principal
-
key
'
$
'
partition-type
'
$
'
partition-id
where:
UD
-name
Admin
for the ACC account database, orProfile
for the Profile Repository)principal
-
type
user
,org
orrole
UD
-
principal
-
key
is the primary key for looking up the principal in the User Directory. The primary key varies among User Directory implementations. The primary key is a numeric ID for Profile User Directories, but is the account name—for example,admin
,administrators-group
—for the ACC account User Directory.partition-type
is an optional element that specifies whether the principal key is unique to a site or a profile realm. Include one of the values:site
orprofileRealm
. See information about sites and profile realms in the Multisite Administration Guide.partition-id
is an optional identifier of the site or profile realm.
The Oracle Commerce Platform comes configured with three other User Authorities:
/atg/dynamo/security/AdminUserAuthority
for looking up ACC accounts/atg/userprofiling/ProfileUserAuthority
for looking up Profile accounts/atg/dynamo/service/j2ee/J2EEUserAuthority
for looking up J2EE accounts and roles.
These user authorities look up Persona information based on the unencoded name of the identity and are typically used for performing authentication. They are, however, front-ends for the standard User Authority and produce Personae that are equivalent to those produced by the standard User Authority. (Note the caveat regarding the mixing of User Authorities in the Create the Secured Repository Definition File: ACLs and Personae topic.)
The list of access rights is a comma-separated list of access right names:
access-right-list
::=
access-right
[ ','
access-right
]+