Skip to content

Using ACLs

Jump to bottom
Chris Millar edited this page Feb 3, 2025 · 29 revisions

Note that this feature is currently under development and not yet released

Each folder and document in DA can have Access Control definitions. This allows an administrator to specify who can see documents and who can edit.

Declaring ACLs

ACLs are declared on the owning organisation level configuration in a sheet called permissions. For example:

Screenshot 2025-01-29 at 22 03 30

Actions

Permissions are defined as actions on a per-path basis. Each path listed gives allowable actions to individual users or IMS groups. They are specified in the actions column:

  • read: the user can read resources for this path
  • write: the user can write resources for this path; write implies read permissions too
  • (nothing): the user does not have any permission for this path

Groups

Users/groups are specified in the groups column. This is a comma-separated list of user emails/IDs and/or IMS Org/IMS group tuples. The IMS IDs can also be used instead of the IMS descriptive name or email address.

The following values are possible:

  • email - e.g. [email protected] note that using this form means that the user can be in any organisation, including their personal one
  • IMS Org ID - e.g. FEDCBA987654321
  • IMS Org ID/IMS Group name - e.g. FEDCBA987654321/My Group 1
  • IMS Org ID/email - e.g. FEDCBA987654321/[email protected]

It's also possible to combine IMS names and IDs, for example using an IMS Org ID with an IMS Group Name: FEDCBA987654321/My Group 1.

Path syntax

The following syntax is supported for paths:

  • /project/dir/document1 - matches this specific document (document1). In the above screenshot [email protected] is given write access to the /project2/newsite/docs/factsheet document
  • /project/dir/sheet1.json - matches this specific sheet (sheet1)
  • /project/dir/img1.jpeg - matches this specific image (img1.jpeg). Also applies to PDFs, videos, audio files, etc.
  • /project/dir/subdir1 or /project/dir/subdir1/ - matches this specific folder (subdir1)
  • /project/dir/** - matches all documents and folders under /project/dir but does not match the dir folder itself. In the above screenshot [email protected] is given read access to all documents and folders under /project2/newsite/docs
  • /project/dir/+** or /project/dir/ + ** - matches all documents and folders under /project/dir including the dir folder itself. This effectively is the same as the previous item with the containing folder added. In the above screenshot users in the IMS group FEABC90912/IMS Group are given no access to /project2/newsite/notes and its subfolders and documents.
  • CONFIG - this special value governs the permissions for the owning organisation configuration.
  • ACLTRACE - this special permission can be (temporarily) given to a user to provide tracing information about the ACL matching. The tracing information is returned in the X-da-acltrace header on (HEAD/GET) requests for da-admin.

Note that there isn't any distinction between a folder and a document in how paths are evaluated. If it is necessary to distinguish between these, when there is a folder with the same name as a document, a document can also be addressed with its .html suffix: /project/dir/document1.html

The order of the rows in the sheet is not important. At runtime the paths are sorted by length and for each group the longest matching path is used.

Where 'documents' are mentioned above this means text documents, sheets and other resources such as PDFs, videos and audio files.

Process

To find a user's allowable actions the following process is used.

For each of the user's matching groups, the longest matching path for a requested resource is searched and the allowable actions are looked up. Once a matching path is found the searching stops for this group.

Then all actions found are merged into a set and returned.

As an example, let's assume that [email protected] is in FEABC90912/IMS Group and needs access to /project2/newsite/food/monday. The ACL lookup finds that FEABC90912/IMS Group has its longest path defined as /project2/newsite/+** with read permissions. The ACL lookup also finds that [email protected] has write permissions to /+** which is the longest matching path for the email address. The resulting action set for the requested resource is the union of these: read and write.

Getting Started

When starting a config sheet with permissions you should ALWAYS include the CONFIG permission in the sheet to give yourself config editing rights. Otherwise you could lock yourself and others out of the site!

You can start with copying this table and pasting it in the config sheet:

path groups actions
CONFIG [email protected] write

So that it looks like this with your email address: Screenshot 2025-01-09 at 16 15 44

For developers

DA provides a few affordances to convey the permissions for a given resource.

  • 401 Response Status - The user is anonymous and does not have access to the resource.
  • 403 Response Status - The user is logged in and does not have access to the resource.
  • x-da-actions Response Header - A hint to convey the read and write permissions of a resource.
    • Example: /da-bacom/customer-success-stories.html=read (read)
    • Example: /da-bacom/drafts/cmillar/testing123.html=read,write (read / write)
  • x-da-child-actions Response Header - A hint to convey the read and write permissions of a folders children. Only exposed in the list API.

Example

As an example let's walk through the above screenshot.

Lines:

  1. Both [email protected] and [email protected] have write permissions to the root of the MyOrg organisation. Having write permission also means they have read permission. This means that they can list all projects and they can have full access to any project not further specified in the ACL sheet. If we assume there was a /project3 then both have full write access to that.
  2. [email protected] has its permissions taken away for the /project1 project. So Joe can't access any documents or folders under /project1. As the .../+** syntax is used Joe can also not list the contents of the /project1 folder itself.
  3. Any user in FEABC90912/IMS Group or in 9013BB2A/IMS Group 2 has read access to /project2/newsite and it's subfolders and documents. Because the .../+** syntax is used these users also have rights to list the /project2/newsite folder itself. [email protected] and [email protected] already have write access to this folder and its subfolders. Even if they are in these IMS Org/Group the fact that they have write permission is not taken away as the write permission is granted on their email address.
  4. [email protected] is only given read access to subfolders and documents of /project2/newsite/docs. So this line takes away the write access from line 2 for these paths. Note that [email protected] still has write permission here.
  5. [email protected] is given write access to the /project2/newsite/docs/factsheet document, making this the only document in this folder (and subfolders) that this user has write access to.
  6. Users in FEABC90912/IMS Group do not have any permissions on the /project2/newsite/notes folder, subfolders and documents. So users in this group will not be able to list this folder or see any of its documents or subfolders. This reduces the permissions given to these users in line 4. Note that users in 9013BB2A/IMS Group 2 still have read permission here and also users that are in both will still have read permission as they are evaluated per group and the union of the results is taken. Also note that [email protected] [email protected] still have write permission to this path and its subpaths from line 2.
Clone this wiki locally