Enforcement of Administrator Permissions
An administrator can only perform actions for which the administrator has been granted permission. Any action that an administrator performs may be limited by the set of permissions granted to that administrator.
For example, an administrator has been granted the view permission on the
foo.*
destination. This administrator has not been granted the global view-destination permission. The administrator is only able to view destinations that match the
foo.*
parent destination. If this administrator is granted the global
view-acl
permission, the administrator is only able to view the access control list for destinations that match the
foo.*
parent. Any access control lists for other destinations are not displayed when the administrator performs the
showacl topic
or
showacl queue
commands.
If the administrative user attempts to execute a command without permission, the user may either receive an error or simply see no output. For example, if the administrator issues the
showacl queue bar.foo
command, the administrator receives a “Not authorized to execute command” error because the administrator is not authorized to view any destination except those that match
foo.*
.
change-user
permission.
An administrator can always view his/her own permissions by issuing the:
showacl
username
command, even if the administrator is not granted the
view-acl
permission.