The security concept implemented in SAP NetWeaver Application Server (AS) Java allows an administrator (object creator) to create a new ACL object and assign it to the owner.
There is no portal available in this release. Functions that refer to the portal are not supported.
The ACL feature provides an interface for following functions:
● Create, modify or delete supported permissions for the ACL.
● Create, modify or delete an ACL object for a portal object.
● Add or remove ACL owners.
● Create, modify or delete the permissions for a principal (ACE).
● Check if a user has permission to execute an action.
With the default ACL manager all applications that use ACL have the same namespace. To avoid conflicts with object ID and permission names among applications, the user management factory provides the method getAclManager(String applicationID) that returns an application specific ACL manager.
The application that uses the ACL API works with following interfaces:
● com.sap.security.api.acl.IAclManager
This interface defines all the methods that are required for the general administration of ACL. It allows application to:
○ Create, modify, read and delete an ACL object for a portal object.
○ Check the permission for a principal on an object.
○ Add, remove and get available supported permissions.
○ Delete the whole corresponding data for a principal.
● com.sap.security.api.acl.IAcl
This interface allows application to:
○ Add or remove an ACL owner.
○ Check if an user is an ACL owner.
○ Create, delete or get ACE.
○ Check the user permissions.
○ Check the object ID
● com.sap.security.api.acl.IAclEntry
The ACE object contains information about a principal and its permissions. It allows the application to:
○ Get the permission and the principal of ACE.
○ Check if the ACE has permissions.
○ Check if the principal has the required permission.
● com.sap.security.api.acl.PermissionStatus
The permission status object returns the status for a given principal if the permission is allowed, denied or undefined. The application gets the ACL Manager from the Portal Runtime (PRT).
Example:
IAclService service = (IAclService)
PortalRuntime.getRuntimeResources()
.getService(IAclService.SERVICE_ID);
IAclManager manager = service.getAclManager();
In the UME, the application gets the ACL Manager from the user management factory.
Example:
IAclManager aclManager = UMFactory.getAclManager();
● com.sap.security.api.acl.IAclHierarchy
This interface provides the application an access point to:
○ Check the permission for a principal on a list of object Ids which represent the parent objects of the former object.
○ Distribute an ACE to the members of a object ID tree. If an ACE for a root object gets changed, this new ACE will be distributed to all members of the sub node of this root. All entries are inherited.
The ACL Manager administers the ACLs. The ACL manager interface defines methods to administer ACL's and check if a principal has access to an object with a certain permission.
A permission is defined by an object type and a permission name separated by a dot (.), for example, default_type.read.
A dot is not allowed in the object type, but in the permission name.
A global permission is defined without an object type.
Permissions must be unique within the namespace of the ACL manager. Therefore, for an application specific ACL manager, the permissions have to be unique within the application and for the default ACL Manager, the permission has to be globally unique.
Object IDs must be unique within the namespace of the ACL manager. Therefore, for an application specific ACL manager, the object IDs have to be unique within the application and for the default ACL Manager, the object IDs has to be globally unique.
Example:
//Get default ACL Manager (userA, userB, "WorkflowPermission.read", false); |