2017 June Release

Defining an access control listPermanent link for this heading

Syntax

acl reference {
  ace {

    audience = {

    };

    rights = [];

  }

}


Access control lists (ACLs) are used to specify the access rights of a user to a given object. An access control list can assign different lists of access types to different user groups. In these user groups the users belonging to this group are specified by their relation to the current object, their position in the current organization or their location in the Fabasoft Folio domain network.

Note: Software component COOSYSTEM@1.1 already provides a set of access control lists that can be reused for protecting your properties and use cases.

The acl keyword is used to define an access control list. It must be followed by a reference and curly braces.

Within an acl block, there is a sequence of aces, specifying a unique set of access rights to a list of user groups, called audiences. In the resulting access control list there is a line for each user group and the specified access types.

Each audience entry can define something that depends on the user, on a group the user belongs to and on the domain where the user is located. These three possibilities of specifying the user are modelled with the keywords user, group and domain. For each of these keywords, there are different possibilities to define the fitting user group.

If one or more of the keywords are omitted, the line is filled up with default values.

A user can be specified with

  • ACLUSER_NORMAL: default
  • ACLUSER_OWNER: The user is the owner of the object
  • <Position>: the user currently holds the specified position
  • <attrdef>{.<attrdef>}: an attribute path to a list of authorized users

A group can be specified with

  • ACLGROUP_NORMAL: default
  • ACLGROUP_OWNER: the user belongs to the objowngroup
  • <OrgUnitType>: the user currently is member of the group with the type <OrgUnitType>
  • <attrdef>{.<attrdef>}: an attribute path to a list of authorized groups
  • A group can be further refined by adding one of the lines
  • if parent: the current group of the user is a parent group of the own group of the object
  • if child: the current group of the user is a child group of the own group of the object
  • and parents: the user is member of the given group or a parent group of this group
  • and children: the user is member of the given group or a child group of this group

A domain can be specified with

  • ACLDOMAIN_NORMAL: default
  • ACLDOMAIN_OBJECT: the user belongs to the domain of the object
  • ACLDOMAIN_OWNER: the user belongs to the domain of the owner
  • <DomainType>: the current domain is of the specified domain type
  • <attrdef>{.<attrdef>}: an attribute path to a list of authorized domains

Example

orgmodel APPDUCXSAMPLE@200.200
{
  import COOSYSTEM@1.1;

  acl SampleACL {
    ace {

      audience = {

         user SysAdm;

      };

      rights = [AccTypeRead, AccTypeChange];

    }

    ace {

      audience = [

        {

           user ACLUSER_DEFAULT;

           group ACLGROUP_OWNER if parent;

           domain ACLDOMAIN_DEFAULT;

        },

        {

        }

      ];

      rights = [AccTypeRead];

    }

  }
}

Audience elements can also be declared as constants and reused in all ACLs.

Example

orgmodel APPDUCXSAMPLE@200.200
{
  import COOSYSTEM@1.1;

  const audience[] AdministrationAudience = {

    user = SyAdm;

  }

  acl SampleACL {
    ace {

      audience = AdministrationAudience;

      rights = [AccTypeRead, AccTypeChange];

    }

  }
}