Manage access control

Edit online

A domain administrator can use access control list (ACL) policies to control access to objects.

ACL policies contain ACL entries that control who can access which domain resources and do which actions. A domain administrator manages the ACL policies by adding, removing, and modifying the ACL entries in the ACL policies. See ACL policies. For details about the ACL policy tasks that a domain administrator can do, see Manage ACL policies.

An ACL entry defines a user or group and which actions each can do against a protected object. A domain administrator can manage these ACL entries before or after the ACL policy is attached to domain resources. Any change to the ACL entry affects only the access that these users and groups have against a specific domain resource to which the ACL policy is attached. See ACL entries.

To define ACL entries, a domain administrator adds or removes permissions (actions) for specific users or groups. A permission is an action that is defined by an action bit in an action group. An action group is a set of permissions. A domain administrator can add or remove action groups from an ACL entry.

When Security Verify Access is installed, the primary action group is created, and contains 17 permissions. These permissions are defined with action bits.

As additional resource managers are installed, additional action groups might be created. As needed, a domain administrator can create additional action groups and add new actions to previously created action groups. See Action groups and actions. For details about the action group tasks that a domain administrator can do, see Manage action groups. For details about the action tasks that a domain administrator can do, see Manage actions.

A domain administrator can assign administrative authority to another user. To define another administrative user, the domain administrator sets the ACL entries for that user to match the ACL entries of the domain administrator. In this situation, both the new administrative user and the domain administrator have the same authority.