User Administration ACL's

The Ceptor Identity Management database API has support for a series of ACLs to ensure proper security access when accessing the user database.


What is an ACL

An ACL (Access Control List) is a method that can be used to restrict certain actions to certain users.

Most API functions in Ceptor UserAdmin are protected by one or more ACL's – in order for a user to execute the given functionality, he must be a member of one of the groups that are assigned to the ACL.

An ACL has any number of usergroups as a member, if a user is a member of one or more of the listed groups, he has access to the functionality which the ACL protects.

As a general rule, if an ACL is not created, all users have access to the functionality it protects, but if it is created, only the users belonging to the groups defined by the ACL has the proper rights to it, all other users dousers has not have the right.


ACL List

 

ACL Name

Description

attr.<attribute>.read

Restricts the access to read a certain <attribute> to certain users. For example, if an acl called “attr.firstname.read” exists, only the users with the proper access is allowed to read the attribute “firstname”.

attr.<attribute>.write

Like attr.<attribute>.read, only users with this ACL are allowed to write (change or delete) the given attribute. Note that if the ACL does not exist for a given attribute, all users have access to delete or change the attribute.

attr.<attribute>.create

If this ACL exists for a given attribute, only users who have it are allowed to create this new attribute if it doesn’t already exist for a user.

user.create

Only users with this ACL can create new users

user.read

Users with this ACL can view other users

user.write        

If a user does not have this attribute, he is not able to make changes to other users at all.

profile.read

Users with this ACL, have the right to read profiles

profile.create

This ACL is required in order to create new profiles

profile.write

ACL needed to make changes to existing profiles, including deletions.

profile.assignall

Users with this ACL, are able to assign all existing profiles to other users. This particular ACL overrides checks for the profile.<profileID>.assign ACL.

profile.<profileID>.assign

Users with this ACL, are able to assign the given <profileID> to other users.

group.read

Required in order to read lists of groups

group.create

Users must have this ACL to be able to create new groups

group.write

Users cannot update/delete groups without this

acl.create

In order to create new ACLs, a user must have this ACL

acl.write

Required to write or delete an existing ACL

organisation.read

To read the list of organizations, users must have this ACL

organisation.create

Required to create new organizations

organisation.write

Required to write or delete an organization

revisionlog.read

Restricts access to the revision log, so only users with this ACL are allowed to read the contents of the revisionlog.

nonreplog.read

Restricts access to the nonrep-log, so only users with this ACL are allowed to read the contents of the log.

batchcommand.execute

Execution of batch commands requires this ACL.

challenge.read

This ACL is required to read challenges

challenge.write

Required to write/update challenges

custcmd.execute

Required to execute custom commands

user.search.ownorg

If a user has this ACL, he is allowed to search within his own organisations.

user.search.allorgs

Allows a user to search for users not belonging to his own organization. Without this, a user is only allowed to search for other uses belonging to the same organisation as the one performing a search (if he has the user.search.ownorg ACL). Note that user.search.org.<orgid> might still restrict the list of organisations actually allowed to search.

Note that this ACL does not give the user the right to search within his own organisations, but it only gives him the right to search within all other organisations.

user.search.specificorgs

Overrides the other properties, user.search.allorgs and user.search.ownorg by specifying that the user only has access to those organisations that specifically are *granted* by an ACL (user.search.org.<orgid>) – if the ACL for an organisation is not defined, the user will not have access to it. This can be used to grant specific user access to only a few specific organisations, defaulting to no access.

 

Note: If a user has this ACL, the ACLs user.search .allorgs and user.search.ownorg will be ignored for him.

user.search.org.<orgid>

Even if a user has access to search in all organisations, this ACL can restrict access to a single organisation, which means that if this ACL is present, the user must have it in order to search users in this specific organisation.

Note that this ACL can also be used to restrict searches in a users own organisation too.

organisation.read.ownorg

organisation.read.allorgs

organisation.read.specificorgs

organisation.read.org.<orgid>

Functions like user.search.ownorg, users.search.allorgs, user.search.specificorgs and user.search.org.<orgid> but is used to restrict the list of organisations that can be found by a user, instead of restricting searches on users.

list.nonreplog.read

To view the non-repudiation log, access to this ACL is required.

list.revisionlog.read

Required to view the revision log

list.transactionlog.read

Required to view the transaction log

ppadmin.read

Allows the user readonly actions using the administration client.

ppadmin.write

Allows the user to update items using the administration client.

ppadmin.configuration-management.manage.read

Allows the user to read the Ceptor configuration using the administration client – if this ACL does not exist, ppadmin.read and ppadmin ACLs will be checked.

ppadmin.configuration-management.manage.write

Allows the user to update the Ceptor configuration using the administration client – if this ACL does not exist, ppadmin.read and ppadmin ACLs will be checked.

ppadmin.status-management.general.read

Allows the user to view status of running servers, and read log entries from the log server using the administration client.

ppuseradmin.access

Allows the user access to the web user administration client (apart from any group relations)