Roles, Resources, and Actions

To restrict user access through the access control system, each user must have a defined role. This role must be associated with resources and authorized actions for the resources. You configure roles, resources, and actions in the policy.xml file.

Roles

Roles in the policy.xml file are equivalent to group names, which are defined in the security provider (LDAP or your operating system). In the access control process, the security provider server determines whether the user belongs to a particular group. If so, the group is considered to be his or her role, and limits the available resources and actions the user can access.

The special *any role includes everyone. When you use the *any role in a policy, no call is made to the security provider to check whether the user is part of the role.

Resources and Policy Types

A policy.xml file can include policies of three types: Cluster, Project, and Node.

Cluster policies apply to these resources:

Application – add, remove, start, stop, and get Projects
Node – get controller and manager nodes, and stop nodes
Security – for adding RSA users and reloading the policy file
Workspace – add, remove, and get workspaces
*any – includes all of the above

Cluster resources are not hierarchical and do not support inheritance of entitlement.

The Project policy type includes resources such as streams and windows (which run in the project server). Resources in the policy file are defined in a file path or tree-like hierarchy using "/" to indicate children. For example, if you have a project called workspace1/project1 which has stream1 and window1 elements, you can define these resources in the policy file like this:

<Resource>workspace1</Resource>
<Resource>workspace1/project1</Resource>
<Resource>workspace1/project1/stream1</Resource>
<Resource>workspace1/project1/window1</Resource>

For Project resources, Event Stream Processor supports inheritance of entitlement: a user who is authorized for an action for resource workspace1 is automatically authorized the same action for all resources under workspace1 in the hierarchy.

The special *any resource refers to all the resources available for a policy type. *any is especially useful for the Project policy type because there are so many possible resources. You cannot define the *any resource in a granular fashion, such as workspace1/*any.

The Node policy type applies only to the Node resource. To enable Sybase Control Center to monitor a node, you must add a Node policy to the node’s policy.xml file. For details, see the online help for Sybase Control Center for Event Stream Processor.

Actions

You can specify four actions (access methods) for resources in policy.xml: READ, WRITE, START, and STOP. The availability and meaning of each action depend on the policy type and resource.

Policy Type	Resource	Action	Description
Cluster	Application (project)	READ	Get the list of projects and information about the projects. Get streams, windows, and schemas. Monitor projects and streams. Monitor connections to projects, streams, and windows.
Cluster	Application (project)	WRITE	Add projects to the cluster or remove them from the cluster.
Cluster	Application (project)	START	Start projects in the cluster.
Cluster	Application (project)	STOP	Stop projects in the cluster.
Cluster	Node	READ	Get the list of managers and controllers and information about those nodes.
Cluster	Node	STOP	Stop nodes.
Cluster	Security	WRITE	Upload the policy file. Add a user by deploying a public key to the cluster’s keystore.
Cluster	Workspace	READ	Get the list of workspaces in the cluster and information about the workspaces.
Cluster	Workspace	WRITE	Add workspaces to the cluster or remove them from the cluster.
Cluster	*any	–	Encompasses all Cluster resources. Set READ, WRITE, START, and STOP actions as for the other Cluster resources. Actions are ignored for resources that do not support them.
Node	Node	READ	Get the list of nodes and information about those nodes. Use to enable monitoring by Sybase Control Center.
Node	Node	STOP	Stop nodes. Use to enable management by Sybase Control Center.
Project	Project path	READ	Subscribe to streams and windows in the project.
Project	Project path	WRITE	Publish to all streams and windows in the project. Play back to all streams and windows in the project. Upload to all streams and windows in the project.
Project	Project path	START	Start all adapters in the project.
Project	Project path	STOP	Stop all adapters in the project.
Project	Stream or window path	READ	Subscribe to a stream or window.
Project	Stream or window path	WRITE	Publish to the stream or window. Play back to the stream or window. Upload to the stream or window.
Project	Stream or window path	START	Start adapters attached to the stream or window.
Project	Stream or window path	STOP	Stop adapters attached to the stream or window.
Project	Workspace path	READ	Subscribe to all streams and windows in the workspace.
Project	Workspace path	WRITE	Publish to all streams and windows in the workspace. Play back to all streams and windows in the workspace. Upload to all streams and windows in the workspace.
Project	Workspace path	START	Start all adapters in the projects in the workspace.
Project	Workspace path	STOP	Stop all adapters in the projects in the workspace.
Project	*any	–	Encompasses all Project resources. Set READ, WRITE, START, and STOP actions as for the other Project resources.

Access Control Scenario

When the client makes a login call, the security services authenticate the user. When a user of Role A tries to access Resource B, verification ensures the user is authorized to access the resource and perform the desired action on the resource.

Example 1

A policy file is configured where Resource B can be accessed by users of Role A with Action READ. If a user with Role A tries to perform a WRITE action in Resource B, the user is not authorized. However, if the user is trying to READ Resource B, this action is authorized.