Users & Groups

Users & Groups

Access control

• happens on repository level
• users and groups stored in repository
• permissions stored as nodes

Consist of:

• principal - user or a group
• subject - right assigned to a principal
• access control and authorization

Evaluation of a Subject

• process of comparing subject's permissions with those required to access a resource
• oak looks for the nearest ancestor that is allowing or denying action and goes with that decision

Groups

• collections of users and/or other groups (members of a group)
• simplify maintenance process - change made to a group is applied to all members

Actions

• Read
• Modify - modify existing conntent on page and page children, create new paragraphs on page and children. On JCR level allows to modify properties, lock, versioning,
• Create - create new page or child page, if modify is denied then allowing create will not work on nodes under jcr:content cause creating resources under that node is considered as modification (same for delete action)
• Delete - delete existing paragraphs from page and children, delete page or child page
• Read ACL - The user can read the access control list of the page or child pages.
• Edit ACL - The user can modify the access control list of the page or any child pages.
• Replicate - can replicate content to another environment (for example, the Publish environment). The privilege is also applied to any child pages.

Permissions and ACLs

• ACLs - Access Control Lists
• defines who is allowed do perform an action on a resource
• permissions can be granted/denied for a given principal
• Access Control Lists are made up of the individual permissions and are used to determine the order in which these permissions are actually applied. The list is formed according to the hierarchy of the pages under consideration. This list is then scanned bottom-up until the first appropriate permission to apply to a page is found.

Documentation

• User Administration and Security