Access Control File

To store access control information, the Trusted model uses an ASCII file. Two sample access control files are included with TIBCO Hawk: Trusted.txt and TrustedWithDomain.txt.

Sample access control files are shipped with the TIBCO Hawk software, in the directory HAWK_HOME/examples/security/.

Trusted.txt

This access control file can be used with UNIX or with Microsoft Windows XP.

The user for authorization is the login ID of the TIBCO Hawk Display owner.

TrustedWithDomain.txt

This file can only be used with Microsoft Windows XP, and only when specified in the command used to start TIBCO Hawk agent and Display, as in -security_policyCOM.TIBCO.hawk.security.trusted.TrustedWithDomain.

The user is the login ID and the domain where the user is logged on. For example, for user1 in domainX, the user is <domainX>\user1.

Group Operations

A group operation effectively performs a method invocation simultaneously on all of the specified target microagents. It is useful for affecting a group of microagents in a single operation. There are two kinds of group operation: network query and network action.

Wildcards characters + and * affect permissions on group operations and point-to-point invocations as shown in Access Control File.

•

Use + in node access to allow access to group operations.

•

Use * in node access to allow access to point-to-point invocations.

•

Use + in method access to allow access to all INFO and ACTION methods.

•

Use * in method access to allow access.

Access Control File Conventions

The access control file uses the following conventions to grant or deny access.

•

Explicit access for a particular resource implicitly denies access to all other resources in the same class. The defined classes are nodes, microagents, and methods.

•

Explicit restriction for a particular resource implicitly allows access to all other resources in the same class, provided they have been explicitly granted. The defined classes are nodes, microagent, and methods.

•

Permissions always default to the most restrictive case.

File Settings for the Trusted Model

This table presents how individual restrictions and permissions are defined for nodes, microagents, and methods. Individual node, microagent, and method names can be specified. In addition, wildcard characters can be used as shown in the table.

Each individual setting is represented by one line in the access control file. Complex permissions and restrictions can be defined using sets of related lines. For example, you can give a user access to all methods on a node in one line, then in the following line, restrict that user’s access to one of those methods. See Disable Custom Microagent, for further details.

Permissions are granted to a user using the user name. Restrictions are defined by prefixing a bang (!) character to the user name, as shown in the table.

Access Control File Settings
Effect	User	Node	Microagent	Method
Full Access Grants full access to all methods on all microagents on all nodes, including group operations.	`<user>`
Full Restriction Denies access to all methods on all microagents on all nodes, including group operations	`!<user>`
Node Access: All Nodes Grants point-to-point and group operation invocation access to all methods on all microagents.	`<user>`	`+`
Node Access: All Nodes Grants point-to-point invocation access to all methods on all microagents. Does not grant group operation invocation access.	`<user>`	`*`
Node Access: Named node Grants invocation access to all methods on all microagents on the named node. You can add several lines for one user to provide access to a set of nodes.	`<user>`	`<node>`
Node Restriction: All Nodes Denies point-to-point and group operation invocation access to all methods on all microagents.	`!<user>`	`*`
Node Restriction: All Nodes Denies group operation invocation access to all methods on all microagents. (Does not deny point-to-point operation invocations.)	`!<user>`	`+`
Node Restriction: Named node Denies invocation access to all methods on all microagents on the named node. You can add several lines for one user to provide access to a set of nodes.	`!<user>`	`<node>`
Microagent Access Grants access to all methods on the specified microagent. Wildcard characters can be used in place of a specific node name. See Node Access.	`<user>`	`<node>`	`<microagent>`
Microagent Restriction Denies access to all methods on the specified microagent. Wildcard characters can be used in the Node columns. See Node Restriction above.	`!<user>`	`<node>`	`<microagent>`
Method Access Grants access to all `ACTION` and `INFO` methods on the specified microagent (but not `ACTIONINFO` methods). Wildcard characters can be used in the Node and Microagent columns.	`<user>`	`<node>`	`<microagent>`	`+`
Method Access Grants access to all `INFO` methods on the specified microagent (but not `ACTION` or `ACTIONINFO` methods). Wildcard characters can be used in the Node and Microagent columns.	`<user>`	`<node>`	`<microagent>`	`*`
Method Access Grants access to the specified method on the specified microagent. Wildcard characters can be used in the Node and Microagent columns.	`<user>`	`<node>`	`<microagent>`	`<method>`
Method Restriction Denies access to all methods on the specified microagent. Wildcard characters can be used in the Node and Microagent columns.	`!<user>`	`<node>`	`<microagent>`	`*`
Method Restriction Denies access to all `ACTION` and `ACTION_INFO` methods on the specified microagent. Wildcard characters can be used in the Node and Microagent columns.	`!<user>`	`<node>`	`<microagent>`	`+`
Method Restriction Denies access to the specified method on the specified microagent. Wildcard characters can be used in the Node and Microagent columns.	`!<user>`	`<node>`	`<microagent>`	`<method>`

Did you find this helpful?

Yes No