Example - NT Security
This example explains the format of an NT-style ACL, describes the security checks performed against the ACL, and then shows how NT security would be configured using the Generic security type.
The ACL is a string of text that specifies who is allowed to view a document. An NT ACL looks like this:
0:U:<users>:G:<groups>:NU:<nousers>:NG:<nogroups>
The ACL begins with a 0 or a 1 (the Everyone flag) and is followed by four sections:
U | Allowed users |
G | Allowed groups |
NU | Disallowed users |
NG | Disallowed groups |
The <users>
, <groups>
, <nousers>
, and <nogroups>
sections each hold comma separated lists of encrypted strings. Each encrypted string holds a username or the name of a group.
When the ACL is processed by IDOL, the disallowed users and groups are always given priority. A user is not allowed to view a document if they are in the list of disallowed users (NU) or if they belong to a group in the list of disallowed groups (NG).
If the user has not been explicitly denied access, the rest of the ACL determines whether they are granted access to a document. If the Everyone flag is 0 they are granted access only if their user name appears in the list of allowed users (U), or if they are in a group that appears in the list of allowed groups (G). If the Everyone flag is 1 the user is granted access, regardless of whether they appear in those lists (U or G).
This process is represented by the following diagram:
In the following example ACL, user1
and user2
are permitted to view the document; user3
is not permitted to view the document. No access rights for any groups are specified:
0:U:user1,user2:G::NU:user3:NG:
The ACL string must be complete and well-formed. For example, even when no allowed groups are specified the string element G::
must appear in the correct place.
In the IDOL Server configuration file, to configure NT security through the Generic Security Module, the content security section would contain:
Type=AUTONOMY_SECURITY_V4_GENERIC_MAPPED SecurityACLFormat=<E=B!>:U:<U=SLE+>:G:<G=SLE+>:NU:<NU=SLE->:NG:<NG=SLE-> SecurityACLCheck=NU=[DU]?F:-,NG=[DG]?F:-,E=1?P:-,U=[DU]?P:-,G=[DG]?P:F
NOTE: SLE+
in the example indicates that ACL field U
is an Encrypted String List of Positive terms.
The comma-separated values in the SecurityACLCheck
parameter are explained in the following table:
NU=[DU]?F:-
|
Compare ACL field disallowed users (NU ) to the user (DU ). Deny access (F ) if there is a match, otherwise continue (- ). |
NG=[DG]?F:-
|
Compare ACL field disallowed groups (NG ) to each of the users group memberships (DG ). Deny access (F ) if there is a match, otherwise continue (- ). |
E=1?P:-
|
Compare ACL field everyone (E ) to 1 . Allow access (P ) if matched, otherwise continue (- ). |
U=[DU]?P:-
|
Compare ACL field allowed users (U ) to the user (DU ). Allow access (P ) if matched, otherwise continue (- ). |
G=[DG]?P:F
|
Compare ACL field allowed groups (G ) to each of the users group memberships (DG ). Allow access (P ) if matched, otherwise deny access (F ). |