To restrict user access through the access control system, each user must have a defined role. This role must be associated with resources and authorized actions for the resources. You configure roles, resources, and actions in the policy.xml file.
Roles in the policy.xml file are equivalent to group names, which are defined in the security provider (LDAP or your operating system). In the access control process, the security provider server determines whether the user belongs to a particular group. If so, the group is considered to be his or her role, and limits the available resources and actions the user can access.
The special *any role includes everyone. If the *any role is used, no call is made to the security provider server to check whether the user is part of the role.
A policy.xml file can include policies of three types: Cluster, project, and Node.
Cluster resources are not hierarchical and do not support inheritance of entitlement.
The special *any resource refers to all the resources available for a policy type. *any is especially useful for the Project policy type because there are so many possible resources. You cannot define the *any resource in a granular fashion, such as workspace1/*any.
The Node policy type applies only to the Node resource. To enable Sybase Control Center to monitor a node, you must add a Node policy to the node’s policy.xml file. For details, see the online help for Sybase Control Center for Event Stream Processor.
Node resources use only the READ and STOP actions.
Policy Type | Resource | Action | Description |
---|---|---|---|
Cluster | Application (project) | READ | Get the list of projects and information about the projects. Get streams, windows, and schemas. Monitor projects and streams. Monitor connections to projects, streams, and windows. |
Cluster | Application (project) | WRITE | Add projects to the cluster or remove them from the cluster. |
Cluster | Application (project) | START | Start projects in the cluster. |
Cluster | Application (project) | STOP | Stop projects in the cluster. |
Cluster | Node | READ | Get the list of managers and controllers and information about those nodes. |
Cluster | Node | STOP | Stop nodes. |
Cluster | Security | WRITE | Upload the policy file. Add a user by deploying a public key to the cluster’s keystore. |
Cluster | Workspace | READ | Get the list of workspaces in the cluster and information about the workspaces. |
Cluster | Workspace | WRITE | Add workspaces to the cluster or remove them from the cluster. |
Cluster | *any | – | Encompasses all Cluster resources. Set READ, WRITE, START, and STOP actions as for the other Cluster resources. Actions are ignored for resources that do not support them. |
Node | Node | READ | Get the list of nodes and information about those nodes. Use to enable monitoring by Sybase Control Center. |
Node | Node | STOP | Stop nodes. Use to enable management by Sybase Control Center. |
Project | Project path | READ | Subscribe to streams and windows in the project. |
Project | Project path | WRITE | Publish to all streams and windows in the project. Play back to all streams and windows in the project. Upload to all streams and windows in the project. |
Project | Project path | START | Start all adapters in the project. |
Project | Project path | STOP | Stop all adapters in the project. |
Project | Stream or window path | READ | Subscribe to a stream or window. |
Project | Stream or window path | WRITE | Publish to the stream or window. Play back to the stream or window. Upload to the stream or window. |
Project | Stream or window path | START | Start adapters attached to the stream or window. |
Project | Stream or window path | STOP | Stop adapters attached to the stream or window. |
Project | Workspace path | READ | Subscribe to all streams and windows in the workspace. |
Project | Workspace path | WRITE | Publish to all streams and windows in the workspace. Play back to all streams and windows in the workspace. Upload to all streams and windows in the workspace. |
Project | Workspace path | START | Start all adapters in the projects in the workspace. |
Project | Workspace path | STOP | Stop all adapters in the projects in the workspace. |
Project | *any | – | Encompasses all Project resources. Set READ, WRITE, START, and STOP actions as for the other Project resources. |
When the client makes a login call, the security services authenticate the user. When a user of Role A tries to access Resource B, verification ensures the user is authorized to access the resource and perform the desired action on the resource.