ACL Policy Set Implementation

When access control is enabled, Sybase CEP Engine checks incoming requests for actions on resources against the rules contained in a policy. This section describes the general rules that apply to all policy sets.

The following table shows the actions and resources required to complete specific tasks, and the order in which the rules controlling access to these resources are checked. Where the requested task requires permission to perform more than one type of action, the rules must permit all the required action types, or must permit "AnyAction". Note that the rules permitting an action must appear earlier in the ACL file than any rule(s) denying the action. Likewise, rule(s) permitting access to a resource must appear earlier in the file than any rule(s) denying access to the resource. Otherwise, the action, or access to a resource is denied.

Rule Implementation Order

When a Subject Tries to Perform This:

Search for a Match on These Actions:

Search in Order, for a Match on One of These Resources:

Connect to Sybase CEP Server and see a list of workspaces.

<AnyAction/>

or

<Connect/> 

and

<GetStatus/>
<AnyResource/>

If not found:

<Server/>
Create or destroy a workspace on Sybase CEP Server.
<AnyAction/>

or

<Connect/> 

and

<CreateDesroy/>
<AnyResource/>

If not found:

<Workspace>workspace-name</Workspace>

If not found:

<Server/>

Connect to a workspace on Sybase CEP Server.

<
AnyAction/>

or

<Connect/> 

and

<GetStatus/>
<AnyResource/>

If not found:

<Workspace>workspace-name</Workspace>

If not found:

<Server/>
Start or stop a project in a workspace.

<
AnyAction/>

or

<Connect/> 

and

<StartStop/>
<AnyResource/>

If not found:

<Project>workspace-name/project-name</Project>

If not found:

<Workspace>workspace-name</Workspace>

If not found:

<Server/>
Read from a stream or write to a stream in a project in a workspace.

<
AnyAction/>

or

<Connect/> 

and

<Read/>

or

<Connect/> 

and

<Write/>
<AnyResource/>
If not found:
<Stream>/workspace-name/project-name/[submodule-name/] [.../]stream-name</Stream>

If not found:

<Project>workspace-name/project-name</Project>

If not found:

<Workspace>workspace-name</Workspace>

If not found:

<Server/>
Query a public window in a project in a workspace (requires both "Connect" and "Read" permission).
<AnyAction/>

or

<Connect/> 

and

<Read/>
<AnyResource/>

If not found:

<Project>workspace-name/project-name</Project>

If not found:

<Workspace>workspace-name</Workspace>

If not found:

<Server/>