Access Control
From jManage[edit] OverviewACLs are a collection of access and authorization rules called ACL entries (ACEs) that set the boundaries on user movements through the application. Access can be restricted to a given user and/or to a group of users. By default, jManage provides two groups namely 'Administrator', 'User' and a super user 'admin' who doesn't belong to either of these two groups. One can add their own group by editing "jmanage-user-roles.xml". ACEs are defined in "acl-config.properties". Absence of an ACE implies no access restriction. You can comment out ACEs by prefixing it with '#' (hash).
[edit] Available ACEs
[edit] Fine-grained Access ControlMore refined access can be provided with the help of dynamic ACEs, which are nothing but an extension of above mentioned static ACEs. The format of a dynamic ACE is: <permission>@<app>/<mbean>/<attribute or operation>=<comma separated roles or users> You can use wild card for any of app, mbean or attribute. Note that the ACE currently doesn't support wildcards within the application, mbean or attribute name. If you have a particular application say "app1", the ACE may look like: acl.update.jmanage.mbean.attributes@app1/*/*=Role1 In this case, Role1 has permission to update all attributes of all mbeans of app1.
1. If one wants to provide update access for the attribute attr1 of mbean abcMBean of application app1, to user xyz only then the dynamic ACE can be built as follows; acl.update.jmanage.mbean.attributes@app1/myDomain:name=abcMBean/attr1=xyz By specifying this ACE no user other than "xyz" can update attribute "attr1" of the specified mbean. 2. If one wants to provide the same to a group, grpX, of users then the ACE is, acl.update.jmanage.mbean.attributes@app1/abcMBean/attr1=grpX 3. If one wants to restrict view access for mbean xyzMBean of application appABC, to user pqr only, then the ACE would be, acl.view.jmanage.mbeans@appABC/myDomain:xyzMBean=pqr |
