WebDAV Rights Management

ACL (Access Control List)

To manage rights on your WebDAV resources, you define ACLs through the WebDAV interface, e.g. with DAVExplorer. An ACL is a list of statements. Each statement defines a relationship between rights and principals (here: users or groups). In our Webdav context a group is a synonym for role.

Example:

ACL-Table
---------------------------------------------
 Right    | Principal | Resource  | Value
---------------------------------------------
 Right1   | GroupA    | Resource1 | Granted   <-- GroupA is allowed to apply Right1 on Resource1
 Right2   | GroupB    | Resource2 | Granted   <-- GroupB is allowed to apply Right2 on Resource2
 Right2   | User1     | Resource2 | Denied    <-- User1 is NOT allowed to apply Right2 on Resource2
 .          .           .            .
 .          .           .            . 
 .          .           .            .

This means, even if User1 is a member of GroupB, he will not be allowed to apply Right2 on Resource2. See Evaluation.

Evaluation

Often the resources are filesystems or at least in hierarchical order. So, the ACL statements are evaluated following a path through the hierarchical structure of the resources. Deny statements have priority over all following grant statements. rights_slide_aclevaluation.png

Rights

There's an overview over availabe rights: rights_slide.png

rights_slide_legend.png

Basic Right Definition
read-object read content and metadata (of the current version of a resource, if version controlled)
create-object add new resource
remove-object remove resource
grant-permission define acl statement
revoke-permission delete acl statement
read-permissions read acl
read-own-permission display acl information related to your own principal
lock-object lock a resource
kill-lock realease a lock from a resource
read-locks determine which locks are on a resource
read-revision-metadata read metadata also from current and older versions of the resource
create-revision-metadata add another version of metadata
modify-revision-metadata modify a version of metadata
remove-revision-metadata remove a version of metadata
read-revision-content read file content also from current and older versions of the resource
create-revision-content add another version of file content
modify-revision-content modify a version of file content
remove-revision-content remove a version of file content
bind-member create a new entry linked ("binded") to an existing resource
unbind-member unlink an entry from an exisiting resource

for GSI specific rights managements see WebDAVAccounts.

-- DennisKlein - 10 Nov 2006, last mod. MichaelDahlinger - 05 May 2010
Topic attachments
I Attachment Action Size Date Who Comment
rights_slide.pngpng rights_slide.png manage 229.7 K 2006-11-03 - 16:30 DennisKlein overview: rights
rights_slide_aclevaluation.pngpng rights_slide_aclevaluation.png manage 57.9 K 2006-11-03 - 17:02 DennisKlein full inheritated acl evaluation workflow
rights_slide_legend.pngpng rights_slide_legend.png manage 38.0 K 2006-11-03 - 16:32 DennisKlein legend to overview
Topic revision: r6 - 2010-05-05, MichaelDahlinger