Access control lists (ACLs) and ACL binding level rules

Access control lists (ACLs)

The list of users that have access to the item and the operations that they can perform on the item is called an access control list (ACL). An ACL is used at run time to determine what CRUD operations a user can execute on a particular item or item type. An ACL can contain one or more individual user IDs or user groups and their associated privileges. You can associate items, item types, and worklists with an ACL. Privilege sets define an individual's maximum ability to use the system, an ACL restricts that individual's access to an item. For example, if its ACL allows the photograph item to be deleted but John doesn't have the delete privilege in his privilege set, then John cannot delete the photograph.

A user ACL is any ACL created by a user with UserACLOwner privilege and can be assigned only to items. Users can search on user ACLs. User ACLs do not display in the system administration client. A user who is listed in the user ACL and who has UserACLOwner privilege, or an administrator, can modify a user ACL by using the APIs.

A controlled entity is bound to a specific ACL through the ACL code. When associated with controlled entities, ACLs define the authorization of the bound entities and do not circumvent the user privileges. An ACL is enforced, and user privileges are checked.

An ACL contains one or more ACL rules. The users specified in access control rules can be individual users, user groups, or public. The interpretation is determined by the UserKind field of a rule. The types of rules, for illustration purposes, can be given the names ACL Rule for User, ACL Rule for Group, and ACL Rule for Public respectively. By specifying public, the ACL Rule for Public authorizes all the users to perform operations specified in the ACL Privileges on the bound entity, provided the users pass their User Privileges check. The ACL privileges on the bound entity to Public can be configured in the System level. The capability of opening a bound entity to Public can be configured system-wide. The configuration parameter is named PubAccessEnabled (defined in table ICMSTSysControl). When disabled, all the ACL Rules for Public are ignored during the access control process.

Within the same ACL, a user can be specified in more than one type of rule. The precedence of the three types, from highest to lowest, is ACL Rule for Public, ACL Rule for User, and ACL Rule for Group. When applying ACL checks, if any higher-precedence rule type passes, the authorization is resolved and the process stops. If the check for ACL Rule for Public failed, the checking process will continue on the lower-precedence rule types.

If the check for ACL Rule for the User failed, however, the checking stops. The ACL Rule for Group is not checked. There is no need to continue the check on the Group type because if a user does an individual user check, the user will be excluded from the group type access based on the access control algorithm. The access control check for individual User type and Group type is not a sequential process. It is an either-or situation, even though there is no harm in doing a sequential check.

If the user has failed to pass an individual user type check (or the user does not have a rule in the Access List table), the checking process will continue to the group type. If the user belongs to one of the groups and the check of the privilege passes, the authorization is resolved and the process stops. Otherwise, access is denied and the process also stops. When a user is specified in more than one ACL Rule for a Group, the user is authorized by the union of all those rules' ACL Privileges. A user is never specified in more than one ACL Rule for User.

ACL binding level rules

ACL Binding Level is a configuration parameter that allows the user to choose that ACL that is used for ACL check. An ACL check is an additional check used at run time to determine what CRUD operations a user can execute on a particular item or item type. In addition to satisfying a general privilege check, the ACL check must be satisfied for the particular item or item type, depending on the action.

ACL checking is based on the following rules:

• The privileges that the users get for ACL X are the intersection between the privileges in the user general privilege set and the privilege set in the ACL.
• If a user participates in an ACL as both an individual user and as part of a group, the user ACL rule will override the user group ACL rule.
• When PubAccessEnabled parameter is enabled, and an ACL X contains an ACL rule for ICMPUBLC, the set of privileges the user gets in ACL X are the UNION of:
  • the privileges given by user or user group ACL rules
  • the privileges given by the ACL rule to ICMPUBLC
• Users with ItemSuperAccess privilege can bypass ACL checking. The user will be automatically added to every ACL, with all privileges in the general privilege set from his user profile.

The configuration parameter, ACL Binding Level allows the user to choose the ACL that is used to do the privilege check on CRUD operations. The binding level options are:

Item type level

The ACL is taken from the item type view definition. If no view is specified, or if the item type is a part, then the ACL is taken from the base item type view (which is the same as the item type ACL).

Item level

The ACL is taken from the item ACL. The item's ACL either is set by the application during item creation, or is defaulted to the item type ACL or the user's default ACL, depending on the item type definition.

Mixed (Item or item type)

The ACL is taken either from the item type view ACL or the item ACL, depending on the item level ACL flag set during item type definition. Mixed ACL binding level is the default setting for Content Manager Version 8.

Library level

The ACL is taken from the library ACL code from the library server configuration parameter.

The following “rules” describe how the ACL privilege check is performed based on the ACL binding level and item type classification.

Item rules

Item type level

Check privileges using the ACL from the provided item type view, or base view if none provided (ACLCODE from ICMSTITVIEWDEFS table).

Item level

Check privilege using the ACL from the item (ACLCODE from ICMSTITEMS001001 table).

Mixed level

Check the item level ACL flag from the item type definition (ITEMLEVELACL from ICMSTITEMTYPEDEFS table) to determine whether ACL binding is done at the item type level or the item level. For system predefined document routing itemtypes (ROUTINGPROCESS, WORKNODE, WORKLIST), the item level ACL flag is true (ACL is checked at item level).

Library level

Check the privilege using the library ACL code from the library server configuration (LIBRARYACLCODE from ICMSTSYSCONTROL table).

Part rules

Item type level

Check privilege using the ACL from the item type relation for the part (DFLTACLCODE from ICMSTITEMTYPEREL table).

Item level

Check privilege using the ACL from the item (ACLCODE from ICMSTITEMS001001 table).

Mixed level

Check the item level ACL flag from the part item type definition (ITEMLEVELACL from ICMSTITEMTYPEDEFS table) to determine whether ACL binding is done at the item type level or the item level. For system predefined part types (ICMBASE, ICMBASETEXT, ICMBASESTREAM, ICMNOTELOG, ICMANNOTATION), the item level ACL flag is false (ACL is checked at item type level).

Library level

Check the privilege using the library ACL code from the library server configuration (LIBRARYACLCODE from ICMSTSYSCONTROL table).