Realm Entitlements
Realm ACLs
As mentioned in the security introduction (see
Using ACLs for role-based Security), in order to perform operations within a Realm clients connecting to the realm must be given the correct entitlements.
In order for a client to connect to a Universal Messaging Realm server there must be a Realm ACL which allows them to do so. A Realm ACL contains a list of subjects and their entitlements (i.e. what operations they can perform within the realm).
Using the Enterprise manager, one can add to, remove or modify entries within a realm ACL.
ACLs can also be managed via the Universal Messaging administration API.
To view a Realm ACL, click on a realm node within the namespace of the Enterprise Manager, and select the 'ACL' tab. This will display the realm ACL and the list of subjects and their associated permissions for the realm. The following image displays and example of a realm ACL.
As you can see above, the realm ACL has a number of subject entries and operations that each subject is able to perform on the realm. The operations that can be performed on a realm are described below in the order in which they appear in the ACL panel above:
Manage ACL - Allows the subject to get and manage the list of ACL entries.
This permission is a combination of two permissions at the Administration API level. The boolean setModify() API function allows/denies permission to change an ACL value, and the boolean setList() API function allows/denies permission to access the current list of ACLs. If both of these functions return the value true, Manage ACL is allowed, otherwise Manage ACL is not allowed.
If the green check icon is displayed in the Manage ACL field, the corresponding two API functions for this field are set to true.
The value of this permission cannot be changed in the Enterprise Manager.
Full - Has complete access to the secured object
Access - Can actually connect to this realm
Configure - Can set run time parameters on the realm
Channels - Can add/delete channels on this realm
Realm - Can add / remove realms from this realm
Admin API - Can use the nAdminAPI package
Manage DataGroups - Can add / remove data groups from this realm
Pub DataGroups - Can publish to data groups (including default) on this realm
Own DataGroups - Can add / delete publish to data groups even when they were not created by the user
The green check icon shows that a subject is permitted to perform the operation. For example, the subject *@* is shown as having no permissions for this realm. The minimum requirement for a client to use a realm is the 'Access' privilege. Without this privilege for the *@* subject, any Universal Messaging client attempting to connect, whose subject does not appear in the ACL list, will not be able to establish a session with the Realm Server.
In order to modify the permissions for a subject, you simply need to click on the cell in the ACL table for the subject and the operation you wish to modify permissions for. For example, if you want to grant the *@* user the 'Access' realm privilege, you would simply click on the *@* row at the column labelled 'access'. This would turn the cell from blank to a green check icon.
After making any changes, you then need to click on the 'Apply' button which will notify the Realm Server of the ACL change.
Any ACL changes that are made by other Enterprise Manager users, or from any programs using the Universal Messaging Admin API to modify ACLs will be received by all other Enterprise Managers. This is because ACL changes are automatically sent to all Universal Messaging Admin API clients, the Enterprise Manager being one of those clients.
Any changes made to a realm ACL where the realm is part of a cluster will be replicated to all other cluster realms.