Access Control List (ACL) 

The security concept implemented in SAP NetWeaver Application Server (AS) Java allows an administrator (object creator) to create a new ACL object and assign it to the owner.

There is no portal available in this release. Functions that refer to the portal are not supported.

The ACL feature provides an interface for following functions:

●      Create, modify or delete supported permissions for the ACL.

●      Create, modify or delete an ACL object for a portal object.

●      Add or remove ACL owners.

●      Create, modify or delete the permissions for a principal (ACE).

●      Check if a user has permission to execute an action.

Application Specific ACL Manager

With the default ACL manager all applications that use ACL have the same namespace. To avoid conflicts with object ID and permission names among applications, the user management factory provides the method getAclManager(String applicationID) that returns an application specific ACL manager.

API

The application that uses the ACL API works with following interfaces:

●      com.sap.security.api.acl.IAclManager

This interface defines all the methods that are required for the general administration of ACL. It allows application to:

○       Create, modify, read and delete an ACL object for a portal object.

○       Check the permission for a principal on an object.

○       Add, remove and get available supported permissions.

○       Delete the whole corresponding data for a principal.

●      com.sap.security.api.acl.IAcl

This interface allows application to:

○       Add or remove an ACL owner.

○       Check if an user is an ACL owner.

○       Create, delete or get ACE.

○       Check the user permissions.

○       Check the object ID

●      com.sap.security.api.acl.IAclEntry

The ACE object contains information about a principal and its permissions. It allows the application to:

○       Get the permission and the principal of ACE.

○       Check if the ACE has permissions.

○       Check if the principal has the required permission.

●      com.sap.security.api.acl.PermissionStatus

The permission status object returns the status for a given principal if the permission is allowed, denied or undefined. The application gets the ACL Manager from the Portal Runtime (PRT).

Example:

IAclService service = (IAclService)

PortalRuntime.getRuntimeResources()
             .getService(IAclService.SERVICE_ID);

 

IAclManager manager = service.getAclManager();

 

In the UME, the application gets the ACL Manager from the user management factory.

Example:

IAclManager aclManager = UMFactory.getAclManager();

●      com.sap.security.api.acl.IAclHierarchy

This interface provides the application an access point to:

○       Check the permission for a principal on a list of object Ids which represent the parent objects of the former object.

○       Distribute an ACE to the members of a object ID tree. If an ACE for a root object gets changed, this new ACE will be distributed to all members of the sub node of this root. All entries are inherited.

 

ACL Manager Interface

The ACL Manager administers the ACLs. The ACL manager interface defines methods to administer ACL's and check if a principal has access to an object with a certain permission.

Permissions

A permission is defined by an object type and a permission name separated by a dot (.), for example, default_type.read.

A dot is not allowed in the object type, but in the permission name.

A global permission is defined without an object type.

Permissions must be unique within the namespace of the ACL manager. Therefore, for an application specific ACL manager, the permissions have to be unique within the application and for the default ACL Manager, the permission has to be globally unique.

Object ID

Object IDs must be unique within the namespace of the ACL manager. Therefore, for an application specific ACL manager, the object IDs have to be unique within the application and for the default ACL Manager, the object IDs has to be globally unique.

Example:

//Get default ACL Manager IAclMAnager manager = UMFactory.getAclManager(); // Get specific ACL Manager IAclMAnager manager = UMFactory.getAclManager("Workflow"); //Create some Permissions manager.addPermission("WorkflowPermission.read", null); manager.addPermission("WorkflowPermission.write", null); //Create a Permission Container List members = new ArrayList(2); members.add("WorkflowPermission.read"); members.add("WorkflowPermission.write"); manager.addPermission("WorkflowPermission.full_control", members); //Create an ACL on an objectID IUser userA; IAcl acl = manager.createAcl(userA, "WorkflowItemABC"); //Get this ACL again IAcl acls = manager.getAcls("WorkflowItemABC"); //Delete an ACL manager.removeAcl(userA, "WorkflowItemABC"); //Delete all info's abaout a principal (concerning ACL info) manager.deletePrincipal(usersA); //Create an ACE (Access Control Entry) for user B (user A is ACL Owner) IAclEntry aclEntry = acl.createAclEntry                     (userA, userB, "WorkflowPermission.read", false); //Get all ACE's for a special principal acl.getAclEntries(userB); //Get all ACE's   acl.getAclEntries(); //check a permission on IAclManager manager.isAllowed("WorkflowItemABC", usersA, "WorkflowPermission.read"); //check a permission on IAcl acl.isAllowed(usersA, "WorkflowPermission.read"); //check a permission on IAclEntry acl.isAllowed("WorkflowPermission.read"); //Delete an ACL Entry acl.removeAclEntry(usersA, aclEntries); //Reset the hole ACL (only deletion of ACE's) acl.resetAcl(usersA);