docman2/doc/trustee.html

<h1>ACL implementation in docman</h1>

<p>ACL implementation in docman is called <b>trustees</b>. It's based on
concept of trustees for Linux kernel by Vyacheslav Zavadsky
&lt;zavadsky@braysystems.com&gt;
</p>

<p>Trustees are used to control access right, and special features
(like <a href="notify.html">notify on change</a>)
</p>

<h2>Format of trustee file</h2>

<p>Comments are written using hash (#) as first character in line
<br><tt># this is a comment</tt></p>

<p>Group can be used instead of username in all ACLs. You can't have user
which has same name as group or vice-versa. It's written using plus (+) as
first character in line.
<br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p>

<p>ACL is defined
<br><i>path</i>[<i>file</i>]<b>:</b>(<i>user</i>|<i>+group</i>|*)[,<i>user</i>...]:[<i>modifier</i>]<i>permission</i>[:...]</p>

Valid modifiers:
<ul>
<li><tt>!</tt> trustee applies to all except user or group
<li><tt>C</tt> clear the permission (default is to set)
<li><tt>D</tt> deny access (default is grant)
</ul>

Valid permissions:
<ul>
<li><tt>R</tt> read (file)
<li><tt>W</tt> write (file)
<li><tt>B</tt> browse (directory)
<li><tt>N</tt> <a href="notify.html">notify</a> (e-mail change)
</ul>

<h2>Examples</h2>

<pre>
# dpavlin is admin (grant all access to members of root group)
+root:dpavlin
/:root:RWB
# give read-only access to all users
/:*:R
# anyone can write in this file
/public_write.txt:*:w
# let just joe access secret file
/secret:joe:!CRW
</pre>

<p>There is major difference between <b>deny</b> and <b>clear</b>. If you
want to deny access to one file except to use joe (which should have
read-only access) you could write:

<pre>
/secret.txt:*:DRWB:joe:R
</pre>

That is wrong. <b>deny</b> rules will take precedence over allow read
to joe. So, you should write:

<pre>
/secret.txt:*:CRWB:joe:R
</pre>

Which will work.

<big>FIX</big> write more examples, better descriptions...

<h2>Default security</h2>

<p>If none of trustee rules satisfy, default policy is <i>deny</i>. Basically,
you have to explicitly allow all your users access to files (which can be
as simple as <tt>/:*:RB</tt> to give <i>read</i> and <i>browse</i> to all
users)
</p>

<h2>docman without trustee configuration</h2>

<p>If you <b>don't have</b> <tt>realm/http_virtual_host.trustee</tt> you
will fall-back to default docman v1.x behavior: whole group will have
all right on all files except <i>anonymous</i> users (which won't be able
to login anyway).
</p>

<p>See also:
<a href="admin.html">Administration manual</a>
</p>
1	dpavlin	1.1	<h1>ACL implementation in docman</h1>
2
3			<p>ACL implementation in docman is called <b>trustees</b>. It's based on
4			concept of trustees for Linux kernel by Vyacheslav Zavadsky
5			<zavadsky@braysystems.com>
6			</p>
7
8	dpavlin	1.2	<p>Trustees are used to control access right, and special features
9			(like <a href="notify.html">notify on change</a>)
10	dpavlin	1.1	</p>
11
12			<h2>Format of trustee file</h2>
13
14			<p>Comments are written using hash (#) as first character in line
15			<br><tt># this is a comment</tt></p>
16
17			<p>Group can be used instead of username in all ACLs. You can't have user
18			which has same name as group or vice-versa. It's written using plus (+) as
19			first character in line.
20			<br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p>
21
22			<p>ACL is defined
23			<br><i>path</i>[<i>file</i>]<b>:</b>(<i>user</i>\|<i>+group</i>\|*)[,<i>user</i>...]:[<i>modifier</i>]<i>permission</i>[:...]</p>
24
25			Valid modifiers:
26			<ul>
27			<li><tt>!</tt> trustee applies to all except user or group
28	dpavlin	1.2	<li><tt>C</tt> clear the permission (default is to set)
29	dpavlin	1.1	<li><tt>D</tt> deny access (default is grant)
30			</ul>
31
32			Valid permissions:
33			<ul>
34			<li><tt>R</tt> read (file)
35			<li><tt>W</tt> write (file)
36			<li><tt>B</tt> browse (directory)
37	dpavlin	1.2	<li><tt>N</tt> <a href="notify.html">notify</a> (e-mail change)
38	dpavlin	1.1	</ul>
39
40			<h2>Examples</h2>
41
42			<pre>
43			# dpavlin is admin (grant all access to members of root group)
44			+root:dpavlin
45			/:root:RWB
46			# give read-only access to all users
47			/:*:R
48			# anyone can write in this file
49			/public_write.txt:*:w
50			# let just joe access secret file
51			/secret:joe:!CRW
52			</pre>
53
54			<p>There is major difference between <b>deny</b> and <b>clear</b>. If you
55			want to deny access to one file except to use joe (which should have
56			read-only access) you could write:
57
58			<pre>
59			/secret.txt:*:DRWB:joe:R
60			</pre>
61
62	dpavlin	1.2	That is wrong. <b>deny</b> rules will take precedence over allow read
63	dpavlin	1.1	to joe. So, you should write:
64
65			<pre>
66			/secret.txt:*:CRWB:joe:R
67			</pre>
68
69			Which will work.
70
71	dpavlin	1.2	<big>FIX</big> write more examples, better descriptions...
72	dpavlin	1.1
73			<h2>Default security</h2>
74
75			<p>If none of trustee rules satisfy, default policy is <i>deny</i>. Basically,
76			you have to explicitly allow all your users access to files (which can be
77			as simple as <tt>/:*:RB</tt> to give <i>read</i> and <i>browse</i> to all
78			users)
79			</p>
80
81			<h2>docman without trustee configuration</h2>
82
83			<p>If you <b>don't have</b> <tt>realm/http_virtual_host.trustee</tt> you
84	dpavlin	1.2	will fall-back to default docman v1.x behavior: whole group will have
85	dpavlin	1.1	all right on all files except <i>anonymous</i> users (which won't be able
86			to login anyway).
87			</p>
88	dpavlin	1.3
89			<p>See also:
90			<a href="admin.html">Administration manual</a>
91			</p>