Access Control List evaluation

The first stage in the evaluation is to determine whether the user that requests access has an active login session (authenticated) or does not have an active login session (unauthenticated).

When an authenticated user attempts to access a protected resource, the evaluation is done in the following order.

• Match the user ID with the User ACL entries. The evaluation stops on a User entry match. The permissions that are granted are the permissions in the matching User entry.
• If there is no matching User entry, then determine the groups to which the user belongs and match those groups to the Group entries in the ACL. The evaluation stops on any Group match. If more than one Group entry is matched, then the resulting permissions are the most permissive of the matching entries.
• If there is no matching User or Group entry, then grant the permissions of the Any-other entry, if it exists.
• If there is no matching User or Group entry, and no Any-other entry, then the user has no permissions.

When an unauthenticated user attempts to access a protected resource, the evaluation is done in the following way.

• If the ACL does not contain an entry for Unauthenticated, then access is denied.
• If the ACL does not contain an entry for Any-other, then access is denied.
• If the ACL contains an entry for Unauthenticated and an entry for Any-other, then grant the permissions that are given to both the Unauthenticated and Any-other entries. The permissions that are granted to unauthenticated users do not exceed the permissions that are given in the Any-other entry.