Access Control List

Access Control List (ACL) is a set of rules that determine which functions a user can access. It consists of simple instructions using the terms ALLOW or DENY, followed by the name of a function or group.

By default, an ACL is set to DENY ALL. Instructions are executed in the order they are listed. If group scopes overlap, the second instruction overrides the overlapping portion.

Example

The example below allows the user to browse Stores, create files, and use Threads, but prevents them from deleting Threads or messages:

ALLOW store/READ
ALLOW store/storeFileCreate
ALLOW thread/ALL
DENY thread/deleteThread
DENY thread/deleteMessage
DENY thread/deleteManyMessages
DENY thread/deleteMessagesOlderThan

Example Breakdown

ALLOW store/READ                     => Grants access to all methods in the store/READ group
ALLOW store/storeFileCreate          => Grants access to the storeFileCreate method
ALLOW thread/ALL                     => Grants access to all methods in the thread group
DENY thread/deleteThread             => Revokes access to the thread/deleteThread method, other thread methods remain unchanged
DENY thread/deleteMessage            => Revokes access to the thread/deleteMessage method, other thread methods remain unchanged
DENY thread/deleteManyMessages       => Revokes access to the thread/deleteManyMessages method, other thread methods remain unchanged
DENY thread/deleteMessagesOlderThan  => Revokes access to the thread/deleteMessagesOlderThan method, other thread methods remain unchanged

Object-Level Rules

It is also possible to bind an ACL rule to a specific object by using function arguments:

[DIRECTIVE] [scope/method] [parameter]=[argument]

Example

ALLOW store/storeFileWrite storeId=65ad8f6c2e4f4f1adb40bf81

Example

Example Breakdown

Object-Level Rules

Example

See Also

On this page