![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |
• read Allows reading the contents of a space. The tuple_get operation requires read access. Get browsers also require read access.
• write Allows writing data to a space. Examples of operations that require write access are:
−
−
−
−
• invoke Perform remote invocations on a a space
• seeder Allows the user to seed tuples.
• encrypt Allows the user to encrypt tuples.
• See User Authentication for information on how to configure the security policy file to enable user authentication.The following example shows the format of the access_control setting in the security policy file:To group users so that permissions can easily be applied to multiple users, you must define each group of users that you would like to apply permissions to in the security policy file. Locate the groups heading in the security policy file and add a line after it for each group of users. For example, specify the following:Once you have defined your user groups, you can now apply permissions to each group of users or to single users. Locate the permissions heading in the security policy file and add a permissions declaration after the permissions heading for each metaspace or space that you want to control the access to. A permissions declaration has the following format:<<metaspace name>|<space name>|<metaspace name>/<space name>> <<user name>|<group name>>=<permission>,...where permission can be any of the following:
•
•
•
•
•
•
1.
2.
4.
5.
• Scope rule When an access control list (ACL) is enabled, any connection request to a metaspace must be associated with a valid space-level permission entry, which implicitly grants access to the metaspace.The minimum permission required on any scope is read, which implies the right to connect to a metaspace.
• Denial rule A deny_all declaration for a user or group takes ultimate precedence over any other permission declaration that might apply to the same user or group.
• Ambiguity rule If there are multiple permissions that can be applied to a metaspace or space, then the permissions declaration that explicitly names the metaspace or space takes precedence over any permissions declarations that use a wildcard character (*).
• Owner rule If there are multiple permissions that can be applied to a user, the permissions declaration that explicitly names the user takes precedence over any permissions declarations applied to a group that the user is a member of.
• Order rule If after applying the above rules there is still more than one permission that applies to the authenticated user’s context, the effective privilege is retrieved from the most recent (lowest) matching permission in the table.
![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |