Skip to content

Using ACLs

Jump to bottom
David Bosschaert edited this page Dec 18, 2024 · 29 revisions

Note that this feature is currently under development and not yet released

Each folder and page in DA can have access control permissions. This allows an administrator to specify who can see pages and who can edit.

Declaring ACLs

ACLs are declared on the owner organisation level configuration in a sheet called permissions.

Screenshot 2024-12-18 at 10 53 27

Actions

Permissions are defined as actions on a per-path basis. Each path listed gives permissions to individual users or IMS groups. The following permissions can be given in the actions column:

  • read: the user can read resources on the path
  • write: the user can write resources on the path; write implies read permissions too
  • (nothing): the user does not have any permission on the path

Groups

Users/groups are specified in the groups column. This is a comma-separated list of user emails and/or IMS Orgs/IMS group tuples. The IMS IDs can also be used instead of the descriptive name or email address.

Path syntax

The following path syntax is supported:

  • /project/dir/document1 - matches this specific document (document1) and nothing else. In the above screenshot [email protected] is given write access to the /project2/newsite/docs/factsheet document
  • /project/dir/subdir1 - matches this specific folder (subdir1) and nothing else
  • /project/dir/* - matches all documents and folders under /project/dir but does not match the dir folder itself. In the above screenshot '[email protected]` is given read access to all documents and folders under /project2/newsite
  • /project/dir/+* - matches all documents and folders under /project/dir including the dir folder itself. In the above screenshot users in the IMS group IMS Org A/IMS Group are given no access to /project2/newsite/notes and its subfolders and documents.

Process

To find a user's allowable actions the following process is used.

For each of the user's matching groups:

  • email
  • IMS user ID
  • IMS Org name/Ims Group name
  • IMS Org ID/Ims Group ID

The longest matching path for a requested resource is searched and the allowable actions are looked up. Once a matching path is found the searching stops for this group.

Then all actions found are merged into a set and returned.

As an example, let's assume that [email protected] is in IMS Org A/IMS Group and needs access to /project2/newsite/food/monday. The ACL lookup finds that IMS Org A/IMS Group has its longest path defined as /project2/newsite/+* with read permissions. The ACL lookup also finds that [email protected] has write to /+* which is the longest matching path for the email address. The resulting action set for the requested resource is read and write.

Example

An an example let's walk through the above screenshot.

Clone this wiki locally