ACL policies

In the protected object space, ACL policies can be attached to resource objects and container objects. Each ACL policy contains one or more ACL entries that affect only that object. For example, the ACL policy attached to the spooler object might allow all requesters the following permissions:

• Execute
• List
• Read
• Write

However, the ACL policy attached to the docs_repository object might allow all requesters the following permissions:

• List
• Read

In this case, both ACL policies that are attached to these objects for all requesters. However, the permissions defined in the ACL entry for all requesters are different. Container objects represent specific regions in the protected object space. After a domain administrator creates an ACL policy and attaches it to a container object, the ACL policy serves the following important security tasks:

• The root (/) container object begins the chain of ACL inheritance for the entire protected object space.
• Through inheritance, the root object defines the security policy for the entire object space.
• Unless an explicit ACL policy is attached to a contained object, the ACL policy for the container object defines the security policy for all resources in that container object.
• The traverse permission allows a requester to pass through a container object to the requested object. To deny access to all objects in a region, remove the traverse permission (T action bit) from the ACL entry.
• The traverse permission does not grant any other access controls to the container object.

Parent topic: Manage access control