It is important you understand the difference between the Authorization Administration ACL and the default ACL used for configuration management.

The mks:aa:mks ACL controls access to the other ACLs through the Read and Update permissions. Similarly, the mks:aa ACL is shipped with a restricted permission set that controls management to the ACLs through the Login permission.

Once you restrict access to those using the Authorization Administration ACL, you can then manage the ACLs used by workflows and documents, and configuration management.

There are also predefined ACLs for both workflows and documents, and configuration management. Workflow and document permissions are accessed through the mks:im ACL, while configuration management permissions are accessed through the mks:si ACL.

If you leave these as the only ACL entries, then any user who is authorized to use workflows and documents, or configuration management can perform all operations. This is the simplest implementation, of course, but also the lowest level of control. Examine your organization’s security policy when implementing the appropriate restrictions.

The available permissions are detailed in “Workflow and Document Permissions”, and in “Configuration Management Permissions”.