The Access Control List
Levels, privileges and roles of users are defined in an Access Control List for each OpenWGA application, which is actually stored in the OpenWGA content store database. This list consists of ACL entries.
A single ACL entry is used either to assign authorisation properties to a single user/group name or to define a user role. It contains the following fields:
- A name which is the name of the user, group or role that the ACL entry is about
- A type. There are two types of ACL entries
- User/Group entries. Those determine the authorisation of the user or group in the "name" field and have the following additional fields
- An access level for the user or group
- A list of privileges that the user or group owns
- A list of user roles that the user/group is assigned to
- Role entries. Those define user roles for the current application which then again can be used on user/group entries for assignation
On normal OpenWGA content stores you can edit the ACL via OpenWGA client. Just open the OpenWGA application using the content store and switch to tab "ACL". On special database platforms OpenWGA might need to use native ACLs to determine access rights (like on Lotus Domino for example).
To determine the authorisation of a user OpenWGA must find out the following:
- The access level that is in effect for the user
- The access privileges that the user owns
- All user roles that the user is assigned
To determine access level and privileges for a special user OpenWGA runs the following process to search for a matching ACL entry. If it finds an entry on any level of the process it takes these authorisation properties from it and ignores the settings on further ACL entries.
- It searches for an ACL entry containing the name of the user, including his fully distinguished name and all name variants that he may have.
- Then it searches an ACL entry containing the name of a group that the user is member of.
- Then it searches an ACL entry for the special group name "authenticated", which automatically contains all users that were able to authenticate themselves.
- Then it searches an ACL entry for the special name "*" (star sign) which contains all users (including anonymous ones).
- If no entry could be found the user has access level NO ACCESS and neither privileges nor roles. He is denied access to the application.
There is another special name on ACL entries called "anonymous". It is used for all users that are not yet authenticated. If an OpenWGA application is open for anonymous access it can be accessed by users that not yet are logged in. This ACL entry controls access for these unauthenticated users only.
The determination of user roles is a bit different though it takes place in the same process. Here OpenWGA simply collects all user roles that are assigned to all ACL entries that are found in the described process. So user roles add up from all ACL entries while access level and privileges are taken from the best matching entry.