An access control list (ACL) is used as an additional check at run time to determine what create, retrieve, update, and delete operations a user can execute. An ACL is a list of ACL rules. Each rule contains one user ID or one user group and an associated privilege set. You use ACLs to control user access to objects in the system. The objects that can be associated with access control lists are the data objects stored by users, item types and item type subsets, worklists, and processes.
Beginning in Version 8.6, a user or user group can have more than one ACL rule within the same ACL. This change enables more flexible ACL management. ACL rules can exist for different roles within a user group. At runtime, the privilege checking includes the union of the different rules for that user or user group. Also, client applications can have roles defined by user privilege sets that are used with user ACLs to control access to items. These client-created ACL rules do not have to be merged in the database with any existing ACL rules for that user group.
In addition, your content management system might have public access enabled in the library server configuration. If so, then you can also add multiple ACL rules in an ACL for the system-defined ICMPUBLC user group.
An assigned ACL restricts an individual user's access to an object, where an assigned privilege or privilege set defines the individual user's maximum ability to use the system. An ACL that has a privilege not included in a user's privilege set does not grant the user with that privilege. An ACL limits user access, it does not grant more access. ACLs provide another level of security when managing a system.
You can specify the access control list binding level in the IBM® Content Manager system administration client New Item Type Definition Access Control window. If you select Item type level, then the access control list that you defined for an item type applies for all CRUD (create, retrieve, update and delete) operations of the items of that item type. If you select Item level, then the access control list for each item applies. If you change the access control list from the item level to the item type level, the item level ACLs are ignored.
One access control list, SuperUserACL, consists of a single rule that authorizes an IBM Content Manager preconfigured user, like ICMADMIN, to perform all IBM Content Manager functions. This access control list is not listed in the system administration client but can be assigned to entities, like an item type.
Any access control list (ACL) created by an IBM Content Manager administrator is called an administrative ACL. An IBM Content Manager administrator is a user who has system privileges SystemSetACL and SystemDefineACL. Administrative ACLs can be defined using the system administration client and are used with administrative objects, such as item types and item type views, or items.
Users with non-administrative privileges can define their own ACLs for use with items only. These ACLs are called user ACLs, and can be created by a user with UserACLOwner privilege. Users can search on user ACLs. User ACLs do not display in the system administration client. A user who is listed in the user ACL and who has UserACLOwner privilege, or an administrator, can modify a user ACL using the APIs.
For more information on user ACLs, see the Application Programming Reference and Application Programming Guide.
