Access Control Lists
An Access Control List (ACL) is a string of text that specifies who is allowed to view a document. Connectors can add an ACL to a document field, usually AUTONOMYMETADATA
, for every document that is ingested.
NOTE: This section describes an “NT Style” ACL, which is used in conjunction with the IDOL security type AUTONOMY_SECURITY_V4_NT_MAPPED
. This type of ACL is appropriate much of the time. Different ACL formats are used with different IDOL security types.
A typical ACL might look like this:
The ACL begins with a 0 or a 1 (the Everyone flag) and is followed by four sections:
U | Allowed users |
G | Allowed groups |
NU | Disallowed users |
NG | Disallowed groups |
These sections each hold comma separated lists of encrypted strings. Each string holds a username or the name of a group.
When the ACL is interpreted by IDOL, the disallowed users and groups are always given priority. A user is not allowed to view a document if they are in the list of disallowed users (NU) or if they belong to a group in the list of disallowed groups (NG).
If the user has not been explicitly denied access, the rest of the ACL determines whether they are granted access to a document. If the Everyone flag is 0 they are granted access only if their user name appears in the list of allowed users (U), or if they are in a group that appears in the list of allowed groups (G). If the Everyone flag is 1 the user is granted access, regardless of whether they appear in those lists (U or G).
This process is summarized in the following diagram:
Sample Code
To build an ACL you must extract from the repository the users and groups that are allowed, and are not allowed, to view the document. How you do this depends on the repository. After you have a collection of users and groups that are allowed access to a document (“users” and “groups”), and a collection of users and groups that are disallowed access (“negativeUsers” and “negativeGroups”) you can create an ACL and add it to a document (“doc”) as shown in the following example.
bool encryptAclEntries = task.TaskConfig.Read("EncryptAclEntries", true); string acl = string.Format( "0:U:{0}:G:{1}:NU:{2}:NG:{3}", Encryption.ToCsv(users, encryptAclEntries), Encryption.ToCsv(groups, encryptAclEntries), Encryption.ToCsv(negativeUsers, encryptAclEntries), Encryption.ToCsv(negativeGroups, encryptAclEntries)); doc.Document.AddFieldValue("AUTONOMYMETADATA", acl);
In this example, the configuration setting EncryptAclEntries
is read from the task configuration. If you need to disable encryption for debugging purposes, you can set this parameter to false
.
Custom ACL Formats
Access Control Lists are parsed by IDOL security libraries. If you use a custom ACL format, you can use the generic security library or write a custom security library. For more information about ACLs and mapped security, refer to the IDOL Document Security Administration Guide.