ACL File Components

PolicySet

Syntax:

<PolicySet xmlns="
http://www.sybase.com/access_control/">
  policy
  [policy]
  [...] 
</PolicySet>

Description:

The entire contents of the ACL must be contained in the "PolicySet" element, which specifies the CEP Engine access control policy set. The "PolicySet" element contains one or more "Policy" elements.

Policy

Syntax:

<Policy PolicyId="
policy-name
">
  rule
  [rule]
  [...] 
</Policy>

Description:

The "Policy" element defines a single access policy. An ACL file's "PolicySet" contains one or more "Policy" elements. The "Policy" element requires:

A "PolicyId" property, which specifies a unique name for the policy.
One or more "Rule" elements.

Rule

Syntax:

<Rule RuleId="
rule-name
" Effect="
effect
">
  target  
</Rule>

Effect: Permit or Deny

Description:

The "Rule" element defines a single rule for an access policy. A single "Policy" element contains one or more "Rule" elements. The "Rule" element requires:

A "RuleId" property, which specifies a unique name for the rule.
An "Effect" property, which specifies whether to permit or deny certain actions, which certain IP addresses, host names, users, or groups try to perform on certain Sybase CEP Engine resources. Note that the "Effect" property specifies only Permit or Deny. The specifics of what the rule is permitting or denying are included in the "Target" element.
A single "Target" element.

Target

Syntax:

<Target>
  <Subjects>
      <AnySubject/> | 
restricted-subjects
   </Subjects>
  <Resources>
      
resource
      [
resource
]
      [...]
  </Resources>
  <Actions>
      
action
      [
action
]
      [...]
  </Actions> 
</Target>

restricted-subjects: Come in four varieties, as listed here. You can specify more than one subject.

Restricted Subject Type	Syntax Description
host-subject	May include any of the following: <Hostname>hostname</Hostname> where hostname is a case-insensitive POSIX regular expression that matches a host name. For more information about POSIX regular expressions, see http://www.boost.org/doc/libs/1_41_0/libs/regex/doc/html/boost_regex/syntax/basic_syntax.html. <IP>IP-address</IP> where IP-address is an IP address in xxx.xxx.xxx.xxx format <IPRange>IP-address-range</IPRange> where IP-address-range is specified either in bitmask notation or range notation. bitmask notation: Specifies an IP address in XXX.XXX.XXX.XXX/YY format, in which XXX.XXX.XXX.XXX is a bitmask and YY is the number of bits, counted from left to right, that are considered in the screening of IP addresses. This subject specification encompasses all addresses for which the first YY bits in the incoming IP address match the first YY bits of the bitmask you specified in XXX.XXX.XXX.XXX. Sybase CEP Engine ignores all bits to the right of those considered by YY. For example, if you specify an IP range as 144.227.192.2/ 16, this range accepts all addresses starting with 144.227 as valid subjects. range notation: Specifies an IP address range in IP1 - IP2 format, for example, 10.10.10.10 - 10.10.10.20. All IP addresses within the range are included in the subject specification.
user-subject	<User>user-name</User> where user-name is a case-insensitive POSIX regular expression that matches a defined user name.
group-subject	<Group>group-name</Group> where group-name is a case-sensitive POSIX regular expression that matches a defined user group name.
shared-secret-subject	<SharedSecret/>

resource: Resources can be set to any of the following values. Multiple resources can also be specified.

<AnyResource/>
<Server/>
<Workspace>workspace</Workspace> where workspace is a case-insensitive POSIX regular expression that matches the name of a workspace on Sybase CEP Server.
<Project>project</Project> where project is a case-insensitive POSIX regular expression that matches the name of a project in a workspace, using the workspace-name/project-name format.
<Stream>data-stream</Stream> where data-stream is a case-insensitive POSIX regular expression that matches one or more Sybase C8 streams, using the workspace-name/project-name/[submodule-name][.../]data-stream-name format.

You can get information used in specifying the "Stream" resource in the ACL file from Sybase CEP Studio, where it is displayed in the Properties View when the workspace, project or stream are selected. The CCL URI displayed in Sybase CEP Studio uses the following format:
```
ccl://host-name:port/Stream/path
```
The data-stream specification in the "Stream" resource uses the path portion of this URI, for example:
```
myworkspace/myproject/instream
```

action: Actions can be set to any of the following values. Multiple actions can be specified.

<AnyAction/>
<Connect/>
<Read/>
<Write/>
<StartStop/>
<CreateDestroy/>
<GetStatus/>

Description:

The "Target" element is contained within the "Rule" element. The "Target" contains three elements, which answer the following questions within the rule:

The "Subjects" element answers the question of which hosts, users and/or user groups are permitted or denied access to a resource.
The "Resources" element answers the question of which resources are being made accessible or inaccessible to the subjects.
The "Actions" element answers the question of which actions pertaining to the resource are permitted or not permitted to the subject.

Specify the "Subjects", "Resources" and "Actions" elements, using the syntax detailed in the syntax section. These settings are further explained in this section:

"Subjects": The empty "AnySubject" element (<AnySubject/>) creates a rule that applies to any host, user, or user group that attempts to perform the specified action on the specified resource. To restrict the rule to certain hosts, users, or user groups, use one or more host-subject, user-subject, and/or group-subject elements instead of "AnySubject".

Specify a special empty shared-secret-subject (specified as <SharedSecret/>) once at the beginning of the ACL file to enable Sybase CEP Server connectivity.

host-subject elements include "Hostname", "IP" and "IPRange" elements. You can specify any number of these in any combination in a single "Target" element.

Note: Specifying Subjects to Connect to the Local Computer: Because of differences in the way that Microsoft Windows and UNIX-like operating systems handle connections to the local machine, Sybase advises that you configure subjects connecting to the local machine either with both the loopback IP address 127.0.0.1 and the external IP address, or with both localhost and the external host name.

user-subject elements include the "User" element. You can specify any number of "User" elements in a single "Target" element.

Note: User credentials are sent over the network as unencrypted text. To protect the user credentials from network analyzers, enable the Secure Socket Layer (SSL). See "Configuring SSL Support" for more information about enabling SSL.

group-subject elements include the "Group" element. You can specify any number of "Group" elements in a single "Target" element.

If you specify multiple subjects in a single "Target", the rule applies to any host, user, or group that meets the criteria for at least one subject specification from each of the included groups. For example, a "Target" that includes a "Hostname" subject, an "IPRange" subject, and two "User" subjects applies to either of the indicated users when the computer from which they try to access the resource either matches the "Hostname" or falls within the "IPRange".

Here are some examples of "Subjects" elements:
```
<Subjects>
  <AnySubject/> 
	</Subjects>
<Subjects>
  <Hostname>.*\.sybase\.com</Hostname> 
	</Subjects>
<Subjects>
  <IP>192.168.10.10</IP>
  <IPRange>192.168.0.12/24</IPRange> 
	</Subjects>
<Subjects>
  <IP>192.168.10.10</IP>
  <User>jdoe</User>
  <Group>qagroup</Group> 
	</Subjects>
```
"Resources": The empty "AnyResource" element (specified as <AnyResource/>) creates a rule that applies to any Sybase CEP Server resource requested by one of the subjects. To restrict the rule to certain resources, use the "Server", "Workspace", "Project", and/or "Stream" elements, in any combination. (The "Server" resource setting is typically used in conjunction with the "Connect" action, to permit or deny access to Sybase CEP Server.)

If you identify multiple resources, the subjects are allowed or denied access to any of the specified resources. For more information about how a resource hierarchy is used to grant or deny access to various resources, see "ACL Policy Set Implementation".

Here is an example of a "Resources" element:
```
<Resources>
 <Stream>Production/.*/StreamIn</Stream>
 <Stream>Production/.*/StreamOut</Stream> 
	</Resources>
```
"Actions": The "AnyAction" element (specified as <AnyAction/>) creates a rule that applies to any actions that the subject attempts on the specified resource. To restrict the rule to certain actions, use the "Connect", "Read", "Write", "Start/Stop", "Create/Destroy", and/or "GetStatus" elements, in any combination. If you identify multiple resources, the subjects are allowed or denied access to any of the specified actions. All elements contained inside an "Actions" element are empty. Here is an example of an "Actions" element:
```
<Actions>
  <StartStop/> 
	</Actions>
```
Action requests are interrelated. The ability to perform certain actions depends on access to certain other types of actions:
- Connection to a resource should be enabled in order to allow any other action on that resource. Connections can be enabled explicitly by using the "Connect" action, or by using the "AnyAction" action. If the connection is not enabled, the subject is not allowed to perform actions on the resource, even if a rule states that those actions are permitted.
- To enable "GetStatus" for a status stream, the subject should also be enabled to "Read" from the status stream.
- To enable SOAP calls to access resources, the resource should also be enabled to "GetStatus", "StartStop" or "Read".