WebDAV Rights Management
ACL (Access Control List)
To manage rights on your
WebDAV resources, you define
ACLs through the
WebDAV interface, e.g. with
DAVExplorer. An ACL is a list of statements. Each statement defines a relationship between rights and principals (here: users or groups). In our Webdav context a group is a synonym for role.
Example:
ACL-Table
---------------------------------------------
Right | Principal | Resource | Value
---------------------------------------------
Right1 | GroupA | Resource1 | Granted <-- GroupA is allowed to apply Right1 on Resource1
Right2 | GroupB | Resource2 | Granted <-- GroupB is allowed to apply Right2 on Resource2
Right2 | User1 | Resource2 | Denied <-- User1 is NOT allowed to apply Right2 on Resource2
. . . .
. . . .
. . . .
This means, even if User1 is a member of
GroupB, he will not be allowed to apply Right2 on Resource2. See
Evaluation.
Evaluation
Often the resources are filesystems or at least in hierarchical order. So, the ACL statements are evaluated following a path through the hierarchical structure of the resources. Deny statements have priority over all following grant statements.
Rights
There's an overview over availabe rights:
Basic Right |
Definition |
unbind-member |
unlink an entry from an exisiting resource |
remove-object |
remove resource |
remove-revision-metadata |
remove a version of metadata |
remove-revision-content |
remove a version of file content |
kill-lock |
realease a lock from a resource |
read-revision-metadata |
read metadata also from current and older versions of the resource |
read-revision-content |
read file content also from current and older versions of the resource |
read-object |
read content and metadata (of the current version of a resource, if version controlled) |
read-permissions |
read acl |
modify-revision-metadata |
modify a version of metadata |
modify-revision-content |
modify a version of file content |
lock-object |
lock a resource |
read-own-permission |
display acl information related to your own principal |
read-locks |
determine which locks are on a resource |
revoke-permission |
delete acl statement |
grant-permission |
define acl statement |
bind-member |
create a new entry linked ("binded") to an existing resource |
create-object |
add new resource |
create-revision-metadata |
add another version of metadata |
create-revision-content |
add another version of file content |
for GSI specific rights managements see
WebDAVAccounts.
--
DennisKlein - 10 Nov 2006, last mod.
MichaelDahlinger - 05 May 2010