Controlling Read/Update Access
The mks:aa:mks ACL controls the ability to read (or view) and update the ACL system. For this reason it is important that you, as administrator, control the permissions assigned to users within this ACL.
The two permissions controlled through mks:aa:mks are Read and Update. The Read permission allows a user to view the ACL system and assigned permissions, while the Update permission allows a user to make changes to the system, such as allowing or denying permissions, or deleting entire ACLs.
As a general rule, only an administrator, or administrative group, should have access to updating or modifying the ACLs. Depending on the workflow at your site, you may also want to restrict viewing access to the ACLs.
The following procedures detail the steps required to revise the Read and Update permissions.
Keep in mind the important distinction between clearing and denying a permission. Based on inheritance, an explicitly denied permission takes precedence, even if that permission is allowed through another principal. When you clear a permission, that permission can still be explicitly allowed through another principal.
|
In controlling read and update access, the sequence of operations is extremely important. First you must first ensure that, as administrator, you have assigned yourself both the Read and Update permissions and that you retain these permissions after any other changes to the ACL system. Only then can you clear those permissions for the everyone group.
|
To revise Read/Update permissions using the Integrity Lifecycle Manager administration client:
1. From the Integrity Lifecycle Manager administration client, open the > view, and click ACL. The display pane shows the mks:aa:mks ACL. Remember, ACL entries consist of principals and permissions. In this case, the assigned permissions are Read and Update.
2. You should first add a new ACL entry that gives you or your administrator group full access to reading and updating the ACLs. To add a new ACL entry, select > from the main menu. A panel displays the default permissions for the mks:aa:mks ACL.
3. To add a new ACL entry, select > . The Select Principal dialog box displays.
4. From the Principal list, select the administrative group or user you want to add the new ACL entry for, and click OK. The Change Permissions dialog box displays.
|
Once you add a principal, you can edit the associated permissions at any time by selecting the required option from the ACL menu or by right clicking and choosing the required option from the shortcut menu. Menu options include Allow Permission, Deny Permission, and Clear Permission.
|
5. To allow the selected administrative user or group the permissions for both read and update, change the permissions for the target administrative group or user in mks:aa:mks, and click Allow All to allow both read and update permissions.
6. To accept the changes, click OK. The new ACL entry for the administrator displays.
7. Clear the Update permission for the everyone group. To view the permissions for the everyone group, highlight ACL Control, and select > from the main menu. A panel displays the default permissions for the everyone group in the mks:aa:mks ACL.
8. To clear the Update permission for the everyone group, highlight everyone, and select > . The Change Permissions dialog box displays.
In the default condition, both the Read and Update permissions are allowed for the everyone group.
9. To clear the Update access permission for the everyone group, click the indicator box for Update and toggle through the condition indicator until the box is blank indicating a cleared condition.
|
When setting mks:aa:mks ACL permissions for the everyone group, be careful that you only clear the permissions.
Do not deny permissions to the everyone group—this effectively denies permission to all users, including any administrator included in that group. Denial of read and update access to the administrator means that you cannot access the ACL database.
You may also want to consider clearing the Read permission for the everyone group if you do not want users to view the ACL system.
|
10. To accept the changes and return to the main Integrity Lifecycle Manager administration client interface, click OK. The Update permission is now clear for the everyone group and explicitly allowed only for the administrator.