The individual authorization role sections contain settings that define the authorization role.
You must create a subsection for each authorization role that you define in the [AuthorizationRoles]
configuration section.
This configuration provides more flexible configuration for user authorization and permissions than AdminClients, QueryClients, and so on. You define the permissions that a particular role has by using StandardRoles, or by specifying the Actions and ServiceActions that you want the role to be able to use. You define the users that belong to a particular role by using Clients, GSSPrincipals, and SSLIdentities.
If a connection matches one of the allowed clients, principals, or SSL identities, they have permission to perform the operations allowed by the role.
For example:
[AuthorizationRoles] 0=AdminRole 1=IDOLUserRole 2=StatusOnlyRole [AdminRole] StandardRoles=Admin,ServiceControl Clients=localhost SSLIdentities=admin.example.com GSSPrincipals=CONTENT01/admin.example.com@EXAMPLE.COM [IDOLUserRole] StandardRoles=User,ServiceStatus SSLIdentities=admin.example.com,userserver.example.com GSSPrincipals=CONTENT01/admin.example.com@EXAMPLE.COM,CONTENT02/userserver.example.com@EXAMPLE.COM [StatusOnlyRole] ServiceActions=GetStatus SSLIdentities=general.example.com
You can use the ShowPermissions action to check the permissions for a user.
|