User Access Control

TIBCO ActiveSpaces security provides user access control to the operations on a metaspace or space. User access control allows you to control the types of TIBCO ActiveSpaces functionality a user is allowed to perform. User access can be allowed or denied for the following permissions:

read
 Allows reading the contents of a space. The tuple_get operation requires read access. Get browsers also require read access.

Read is the minimum permission required on any scope, because it implies the right to connect to a metaspace.

write
 Allows writing data to a space. Examples of operations that require write access are:
  • put
  • take
  • lock
  • unlock

    Take browsers, lock browsers, and transaction also require write access.

    Write permission implies that a user also has read permission, because most ActiveSpaces operations that write to a space must first be able to read data from the space. For example, to take a tuple from a space, an application must first do a read to find the tuple before it can remove the tuple.

invoke
 Perform remote invocations on a a space
seeder
 Allows the user to seed tuples.
encrypt
 Allows the user to encrypt tuples.

You can grant or deny a user all of the mentioned permissions by specifying one of the following:

  • grant_all
  • deny_all

You can also arrange users into groups and apply permissions to all users in a group or to the users in several groups. And you can specify which spaces in a metaspace the permissions for users and groups should be applied to.

Permissions can be applied for:

  • A single metaspace and space
  • All spaces in a metaspace
  • A particular space name in any metaspace
  • All metaspaces and spaces

User access control works in conjunction with user authentication. Do not enable authorization (access control) unless user authentication is enabled

See User Authentication for information on how to configure the security policy file to enable user authentication.

Attention: Remember that ACLs are enforced with respect to the definition of the policy file and not the settings in the LDAP server provided you have used one for authentication.
  • Enabling User Access Control
    The following example shows the format of the access_control setting in the security policy file:
  • Access Control Groups
    To group users so that permissions can easily be applied to multiple users, you must define each group of users that you would like to apply permissions to in the security policy file. Locate the groups heading in the security policy file and add a line after it for each group of users. For example, specify the following:
  • Access Control Permissions
    Once you have defined your user groups, you can now apply permissions to each group of users or to single users. Locate the permissions heading in the security policy file and add a permissions declaration after the permissions heading for each metaspace or space that you want to control the access to. A permissions declaration has the following format:
  • Permissions Precedence
    Permissions precedence is based on evaluation rules.