Specifying acl inheritance – Google Search Appliance Feeds Protocol Developers Guide User Manual
Page 17
Google Search Appliance: Feeds Protocol Developer’s Guide
17
principal-type
Attribute
The principal-type attribute indicates that the domain string attached to the principal will not be
transformed internally by the search appliance. The only valid value is “unqualified.” This attribute is for
support of SharePoint local groups.
Specifying ACL Inheritance
While ACLs can be found attached to documents, content systems allow for ACL information to be
applied to groups of documents through inheritance. The search appliance is able to model a wide
variety of security mechanisms by using the concept of ACL inheritance.
For example, in a Microsoft Windows File System, by default, a document inherits permissions from its
folder. Permissions can be applied to documents without breaking inheritance. More specific
permissions override less specific permissions.
In a Microsoft Windows Share, permissions can be applied to the share as a whole. All documents in the
tree rooted at the shared folder implicitly inherit share permissions. Share permissions always override
more specific permissions.
In Microsoft SharePoint, content is organized in hierarchies of sites, document collections, and
documents. Each node in the hierarchy inherits permissions from its parent, but if a DENY occurs
anywhere in the inheritance chain, the resulting decision is DENY.
ACL inheritance is specified by the following attributes of the acl element:
•
inheritance-type
•
inherit-from
inheritance-type
Attribute
The inheritance-type attribute specifies how the permissions (PERMIT, DENY, INDETERMINATE) will
be interpreted when the search appliance authorizes against parent and child ACLs and decides which
takes precedence.
Valid values are:
•
parent-overrides--The permission of the parent ACL dominates the child ACL, except when the
parent permission is INDETERMINATE. In this case, the child permission dominates. If both parent
and child are INDETERMINATE, then the permission is INDETERMINATE.
•
child-overrides--The permission of the child ACL dominates the parent ACL, except when the
child permission is INDETERMINATE. In this case, the parent permission dominates. If both parent
and child are INDETERMINATE, then the permission is INDETERMINATE.
•
and-both-permit--The permission is PERMIT only if both the parent ACL and child ACL permissions
are PERMIT. Otherwise, the permission is DENY.
•
leaf-node--ACL that terminates the chain.
inherit-from
Attribute
The inherit-from attribute specifies the URL from which the ACL inherits permissions. If this attribute
is absent, the ACL is a top-level node.
Note: If a per-URL ACL inherits from a non-existent URL, or inherits from a URL that does not have a per-
URL ACL, the authorization decision is always INDETERMINATE because of the broken inheritance chain.