ACL Subtrees
Related project ACLs may be structured in a subtree, for example:
mks:si:project:id:Orion_Program
mks: si: project:id:Orion_Program:DemoApp
mks:si: project:id:Orion_Program:DemoDatabase
When evaluating access controls, the Integrity Lifecycle Manager server searches upwards through the ACL hierarchy to find the most specific permissions that apply to a user or group. For example, a project’s ACL might allow a specific user DropMember, the permission of dropping a member, which would be considered more specific than if higher up the subtree the permission is denied for a wider group.
This nesting structure allows you to delete a group of related ACLs in a single step. For details, see
“ACL Subtrees”.
When deleting ACLs, ACL entries, or ACL subtrees, be sure your selection is correct. Deletion is permanent—there is no way to revert this command, and you must recreate ACLs if you accidentally delete the wrong ones.