Table of Contents
Advertisement
Authorization for CMS Users
Authorization for CMS Users
Authorization is the mechanism that checks whether or not a user is allowed to
perform a certain operation. Authorization points are defined in certain groups of
operations that requiring an authorization check of the user.
Access Control Lists (ACLs)
Access Control Lists (ACLs) are the mechanism that specifies the authorization to
each of the sets of operations that require authorization. An ACL exists for each set
of operations where an authorization check occurs. You can define additional
operations to a ACL, or additional sets of operations by adding this checking to
that resource using the CMS SDK.
Access Control Instructions (ACIs)
The ACL contains Access Control Instructions (ACIs) which specifically allow or
deny operations such as read or modify for this set of operations. The ACI also
contains an evaluator expression. The default implementation of ACLs specifies
only users, groups, and IP addresses as possible evaluator types, although you
could create others using the CMS SDK. Each ACI in an ACL specifies that access is
allowed or denied, what the specific operator is being allowed or denied, and
which user(s), group(s), or IP address(es) is being allowed or denied to perform the
operation.
Changing Privileges
You can change the privileges of CMS users by changing the Access Control Lists
(ACL) that are associated with the group in which the user is a member, for the
users themselves, or for the IP address of the user. You can also create groups and
assign access control to each group by adding that group to the access control lists.
For example, you can create a group for administrators who are only authorized to
view logs. You could name the group
and modify the ACLs relevant to
LogAdmins
logs to allow read or modify access to this group. If you did not add this group to
any other ACLs, members of this group would only have access to the logs.
Chapter 8
Authorization
345
Advertisement
Table of Contents
