Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 377

About Access Control
An ACI can have more than one group, user, or IP address by separating them with two pipe symbols
(||) with a space on either side. For example:
allow (read) group="Administrators" || group="Auditors"
The administrative console can create or modify ACIs. The interface sets whether to allow or deny the
operation in the Allow and Deny field, sets which operations are possible in the Operations field, and
then lists the groups, users, or IP addresses being granted or denied access in the Syntax field.
An ACI can either allow or deny an operation for the specified group, user ID, or IP address. Generally,
ACIs do not need created to deny access. If there are no allow ACIs that include a user ID, group, or
IP address, the group, user ID, or IP address is denied access.
If a user is not allowed access to any of the operations for a resource, then this user is considered
denied; he does not specifically need to be denied access. For example, user JohnB is a member
of the Administrators group. If an ACL has only the following ACI, JohnB would be denied any
access since he does not match any of the allow ACIs:
Allow (read,modify) group="Auditors" || user="BrianC"
There usually is no need to include a deny statement. Some situations can arise, however, when it
is useful to specify one. For example, JohnB, a member of the Administrators group, has just
been fired. It may be necessary to deny access specifically to JohnB if the user cannot be deleted
immediately. Another situation is that a user, BrianC, is an administrator, but he should not have
the ability to change some resource. Since the Administrators group must access this resource,
BrianC can be specifically denied access by creating an ACI that denies this user access.
The allowed rights are the operations which the ACI controls, either by allowing or denying permission
to perform the operation. The actions that can be set for an ACL vary depending on the ACL and
subsystem. Two common operations that can be defined are read and modify.
The syntax field of the ACI editor sets the evaluator for the expression. The evaluator can specify
group, name, and IP address (both IPv4 and IPv6 addresses). These are specified along with the
name of the entity set as equals (=) or does not equal (!=).
The syntax to include a group in the ACL is group="groupname". The syntax to exclude a group is
group!="groupname", which allows any group except for the group named. For example:
group="Administrators" || group!="Auditors"
It is also possible to use regular expressions to specify the group, such as using wildcard characters
like an asterisk (*). For example:
group="* Managers"
http://java.sun.com/j2se/1.4.2/
For more information on supported regular expression patterns, see
docs/api/java/util/regex/Pattern.html#sum.
The syntax to include a user in the ACL is user="userID". The syntax to exclude the user is user!
="userID", which allows any user ID except for the user ID named. For example:
355