How Does Access Control Work?

You can control access to the entire server or to parts of the server (directories, files, file types). When the server evaluates an incoming request, it determines access based on a hierarchy of rules called access control entries (ACEs), and then it uses the matching entries to determine if the request is allowed or denied. Each ACE specifies whether or not the server should continue to the next ACE in the hierarchy. The collection of ACEs is called an access control list (ACL).

When a request comes in to the server, the server looks in OBJ.CONF for a reference to an ACL, which is then used to determine access. By default, the server has one ACL file that contains multiple ACLs.

For example, suppose someone requests the following URL:

http://www.novell.com/my_stuff/web/presentation.html

The server would first check access control for the entire server. If the ACL for the entire server was set to continue, the server checks to see if there is an ACL for the file type .HTML. Then it checks for an ACL for the directory MY_STUFF. If one exists, it checks the ACE and then moves on to the next directory. The server continues traversing the path either until it reaches an ACL that says not to continue or until it reaches the final ACL for the requested URL (in this case, the file PRESENTATION.HTML).

To set up access control for this example using the Server Manager forms, you could create an ACL for the file only or for each resource leading to the file, for example, one for the entire server, one for the MY_STUFF directory, one for the MY_STUFF/WEB directory, and one for the file.

The following sample ACL file illustrates one way to control access to this resource.

# File automatically written## You may edit this file by hand#version 3.0;# This ACL allows everyone in the local database or LDAP directory 
acl "agents"; 
authenticate (user,group) { 
prompt = "<Enterprise or News> Server"; 
}; 
deny (all)  
    user = "anyone"; 
allow absolute (all)  
    user = "all";# This ACL denies all access to the my_stuff directory 
acl "path=C:\Novonyx\SuiteSpot\docs\my_stuff"; 
deny (all)  
    user = "anyone";# This ACL allows access to anyone in the user database 
acl "path=C:\Novonyx\SuiteSpot\docs\my_stuff\web"; 
allow (all)  
    user = "anyone";# This ACL allows access to the file to anyone in the "my_group" group 
acl "path=C:\Novonyx\SuiteSpot\docs\my_stuff\web\presentation.html"; 
allow (all)  
    user = "anyone"; 
    group = "my_group"# This is the default ACL and denies access to anyone 
acl "default"; 
deny (all) 


Previous | Next