ACLs (Access Control Lists)
State-of-the-art Authorization Management
ACL-based authorization management is availabe for
- Folders
- Objects
- Model Packages
- Users and Teams
- Built-in and custom application functions
Together with the organization management functionality,
ice.NET provides a sophisticated solution for efficient management of object-oriented
as well as functional access rights.
Functional Access Rights
Normally, autorization applies to items (objects, folders, etc.) that
contain ACLs. This enables intuitive, object-oriented rights management.
However, there are situations where object-oriented ACLs are not applicable.
Especially, when the objects/folders/packages
are not created yet.
Example: In order to manage the authorization to create model packages there
is no item that contains an appropriate ACL (the package does not exist yet).
Therefore, ice.NET provides a suitable abstraction, the Application Function
authorization item. The "Repository.PackageCreate" application function contains an
ACL that determines the authorization to create new packages. (Once a package is
created, the right to modify and delete the package can be managed by the package's
own ACL.)
Arbitrary application function ACLs can be defined, managed, and evaluated in order
to meet any application-specific requirements.
Extensive Software Support
The authorization functionality is supported by a variety of system components
that can be used in application systems. Software support is available for the following
categories:
- GUI components (Web and Desktop) for ACL maintenance
- Query functionality (retrieving effective access rights on authorized items) that
considers inheritance of access rights according to the organization structure (teams,
membership)
- Support functionality for common tasks (e.g. propagating access rights along a folder
hierarchy)