Access control objects - Portal Access Control
The complete access control data for a resource is represented on the client by a PacList object. PAC stands for Portal Access Control. PacList objects are opaque, they cannot be manipulated directly. Instead, they are loaded into the PacList bean, which provides the operations to view and edit the objects. PacList objects are obtained from and written back using the Access bean. The access control data for a resource is split in similar data groups for several action sets. It is also referred to as role types. The term action set is used here, as it has the smaller potential for misinterpretation. The portal uses predefined action sets, which combine the actions for the following types of portal users.
Action set name Description User User PrivilegedUser Privileged User Editor Editor Manager Manager Delegator Delegator SecurityAdmin Security Administrator Admin Administrator Alternative names are documented in the help of the PacList bean.
For each action set, a list of principals are explicitly allowed to complete the corresponding actions. A principal is a group or user, which are specified by a name or distinguished name (DN). There are three special principals, which represent:
- anonymous user
- all authenticated users
- all user groups
In addition to the list of principals, two flags control the implicit distribution of permissions through resource hierarchies.
- The inheritance flag controls distribution of permissions from parent to child nodes. If inheritance is not blocked, a principal that has permission on the parent has permission on the child as well.
- The propagation flag controls the other direction. If propagation is not blocked, a principal that has permission on at least one child has permission on the parent as well. This kind of permission is useful for simple actions, such as viewing a page, which requires view access to all parents.
Although the flags can be manipulated for each action set, they are ignored for security administrators and administrators. For these two action sets, inheritance and propagation are never blocked.
Parent topic: Portal Access Control