The Access Control List
Overview
| Operation on ACL entity | Allow if | Scope of operation | Ownership | Scope of access |
|---|---|---|---|---|
| Get | 1. The parent can be read - granted via entity_security, or 2. The parent can be read - granted via ACL | All ACLs of parent entities for which the get privilege is granted. | N/A | N/A |
| Create | The parent entity can be updated - defined via entity_security | Inherits scope of the create for parent entity. | Owner | 1. Get - if the user can read the parent entity 2. Update - if the user can update the parent entity 3. Delete - if the user can delete the parent entity |
| Update | Inherits scope of the update for parent entity. | |||
| Delete | Inherits scope of the update for parent entity. | N/A | N/A |
Security of the ACL entity
entity_get
If the parent entity can be read then all ACLs on the parent entity can be read. The read privilege on the parent entity can also be granted through the ACL.
entity_create
If the parent entity can be updated then ACLs can be created.
Ownership of the ACL entities will always be set to user that created them.
entity_update
If the parent entity can be updated then ACLs can be updated. The scope of the update will be shared with the scope of the update for parent entity.
Ownership of the ACL entities will always be set to user that updated them.
If update privilege is granted on the parent entity through the ACL then the update privilege will NOT be granted on the ACL entities.
entity_delete
If the parent entity can be updated then ACLs can be deleted. The scope of the delete will be shared with the scope of the update for parent entity.
If update privilege is granted on the parent entity through the ACL then the update privilege will NOT be granted on the ACL entities.
Scope of access
entity_get
Can be set if the user can read the parent entity.
entity_update
Can be set if the user can update the parent entity.
entity_delete
Can be set if the user can delete the parent entity.