Table of Contents
Advertisement
ACL File Syntax
Authorization Statements
Each ACL entry can include one or more authorization statements.
Authorization statements specify who is allowed or denied access to a server
resource. Use the following syntax when writing authorization statements:
Start each line with either allow or deny. It's usually a good idea to deny access
to everyone in the first rule and then specifically allow access for users, groups,
or computers in subsequent rules. This is because of the hierarchy of rules.
That is, if you allow anyone access to a directory called /my_stuff, and then
you have a subdirectory /my_stuff/personal that allows access to a few
users, the access control on the subdirectory won't work because anyone
allowed access to the /my_stuff directory will also be allowed access to the
/my_stuff/personal directory. To prevent this, create a rule for the
subdirectory that first denies access to anyone and then allows it for the few
users who need access.
However, in some cases if you set the default ACL to deny access to everyone,
then your other ACL rules don't need a "deny all" rule.
The following line denies access to everyone:
Hierarchy of Authorization Statements
ACLs have a hierarchy that depends on the resource. For example, if the server
receives a request for the document (URI)
/my_stuff/web/presentation.html, the server first looks for an ACL
that matches the file type or any other wildcard pattern that matches the
request, then it looks for one on the directory, and finally it looks for an ACL on
the URI. If there are more than one ACLs that match, the server uses the last
statement that matches. However, if you use an absolute statement, then the
server stops looking for other matches and uses the ACL containing the
absolute statement. If you have two absolute statements for the same resource,
the server uses the first one in the file and stops looking for other resources that
match.
458 Netscape Enterprise Server Administrator's Guide
allow|deny [absolute] (right[,right...]) attribute expression;
deny (all)
user = "anyone";
Advertisement
Table of Contents
Need help?
Do you have a question about the Netscape Enterprise Server and is the answer not in the manual?
Questions and answers