Guidelines for Configuring Access Control

A project’s access control file is an XML file named RMSProjectName.ac.

The ACL file is stored in the directory specified by the RMS.cdd property ws.projects.acl.location.

In the access control file resources element, you can create resource elements to define groups of resources to suit your needs. Give each resource element an ID. In the entries element, add one entry element for each user role to define the access permissions for that role, using the resource IDs and action elements. This brief summary is provided so you can understand the following guidelines. For details, see Structure of the Access Control File.

After migrating a project from earlier versions to TIBCO BusinessEvents version 6.0.0, ensure to change the name of the resource SHAREDASCON (if configured in the .ac file) to SHAREDASLEGACY in the RMSProjectName.ac file.

Note: Replace the XML special character in the role names (if present) in the access control file with the following characters:
  • "&" by "&"
  • " ' " by "'"

You can use two general approaches to setting permissions. The general aim is to simplify the setup, minimizing the number of permissions you have to set in the access control file.

Allow everything and specify exceptions

One approach is to grant wide permissions using large resource groupings, and then selectively deny permissions within those groupings.

For example, suppose you define two resources as follows: 

<resource name="/Concepts/*" id="AllP" type="PROPERTY"/>
<resource name="/Concepts/Person/CustID" id="CID" type="PROPERTY"/>

The first resource element defines a resource group consisting of all concept properties in the /Concepts project folder. The second element specifies one property in one concept. (The setup details are explained later in the chapter.)

Then you define permissions using those resources. For example, for a role named CallCenter you might set up permissions as follows: 

<entry>
  <role name="CallCenter"/>
  <permissions>
    <permission resourceref="#AllP">
      <action type="read">ALLOW</action>
    </permission>
    <permission resourceref="#CID">
      <action type="read">DENY</action>
    </permission>
  </permissions>
</entry>

With these settings, you give users with the CallCenter role the read permission for all properties in the /Concepts directory except the custID property.

Tip: An example of an access control file (CreditCardApplication.ac), giving all permissions available for the credit card application example, is located in the following directory: BE_HOME\rms\config\security

Deny everything and specify exceptions

Another approach is to deny all permissions (which is the default setting for all permissions) and then give permissions to specific resources or groups of resources as needed.

Combining two approaches

You can combine these two approaches in one access control file. For example, you can give broad permissions to one project folder, and then specify exceptions within that folder. For another folder you might give permissions selectively.