When access control is enabled, Sybase CEP Engine checks incoming requests for actions on resources against the rules contained in a policy. This section describes the general rules that apply to all policy sets.
Sybase CEP Engine checks rules in hierarchical order of resources, from the most specific to the most general.
For example, if an explicit rule permitting or denying access to a project is defined, the rule is applied. If a matching rule for the project is not specified, but a rule for the project's workspace is defined, Sybase CEP Engine applies the workspace rule. If a rule for the workspace is not defined either, then Sybase CEP Engine searches the ACL file for a rule applying to the Sybase CEP Server on which the project is located.
On each level of the resource hierarchy, Sybase CEP Engine applies the first matching rule, if one is found, and ignores any subsequent rules. A matching rule is a rule that applies to the subject and permits or denies the subject the desired action type on the desired resource.
For example, if one rule is defined that allows a particular user connect privileges to a specified project, and a second rule, later in the file, that denies access to the same user and project, Sybase CEP Engine uses the first rule.
Sybase CEP Engine always considers "AnyResource" to be a match for any resource at any level in the hierarchy.
For example, if one rule is defined that denies a particular host name connection privileges to "AnyResource", and a second rule, later in the file, that permits the same host name connection privileges to a particular workspace, Sybase CEP Engine considers the "AnyResource" rule to be the first match, and denies access to the workspace.
Similarly, Sybase CEP Engine always considers "AnyAction" to be a match for any requested action and "AnySubject" to be a match for any subject requesting the action.
If Sybase CEP Engine does not find an applicable rule, it denies the subject access to the action on the resource.
The following table shows the actions and resources required to complete specific tasks, and the order in which the rules controlling access to these resources are checked. Where the requested task requires permission to perform more than one type of action, the rules must permit all the required action types, or must permit "AnyAction". Note that the rules permitting an action must appear earlier in the ACL file than any rule(s) denying the action. Likewise, rule(s) permitting access to a resource must appear earlier in the file than any rule(s) denying access to the resource. Otherwise, the action, or access to a resource is denied.
|
When a Subject Tries to Perform This: |
Search for a Match on These Actions: |
Search in Order, for a Match on One of These Resources: |
|---|---|---|
|
Connect to Sybase CEP Server and see a list of workspaces. |
<AnyAction/> or <Connect/> and <GetStatus/> |
<AnyResource/> If not found: <Server/> |
| Create or destroy a workspace on Sybase CEP Server. |
<AnyAction/> or <Connect/> and <CreateDesroy/> |
<AnyResource/> If not found: <Workspace>workspace-name</Workspace> If not found: <Server/> |
| Connect to a workspace on Sybase CEP Server. |
< AnyAction/> or <Connect/> and <GetStatus/> |
<AnyResource/> If not found: <Workspace>workspace-name</Workspace> If not found: <Server/> |
| Start or stop a project in a workspace. |
< AnyAction/> or <Connect/> and <StartStop/> |
<AnyResource/> If not found: <Project>workspace-name/project-name</Project> If not found: <Workspace>workspace-name</Workspace> If not found: <Server/> |
| Read from a stream or write to a stream in a project in a workspace. |
< AnyAction/> or <Connect/> and <Read/> or <Connect/> and <Write/> |
<AnyResource/> If not found: <Stream>/workspace-name/project-name/[submodule-name/] [.../]stream-name</Stream> If not found: <Project>workspace-name/project-name</Project> If not found: <Workspace>workspace-name</Workspace> If not found: <Server/> |
| Query a public window in a project in a workspace (requires both "Connect" and "Read" permission). |
<AnyAction/> or <Connect/> and <Read/> |
<AnyResource/> If not found: <Project>workspace-name/project-name</Project> If not found: <Workspace>workspace-name</Workspace> If not found: <Server/> |