Manualshelf

User's Manual

ManualsBrandsRed Hat ManualsTV ReceiverRed Hat Red Hat Web Application Framework 6.1
21222324252627282930
12 Chapter 3. WAF Component: Kernel
What parties have a particular privilege on a particular object?
What privileges does a particular party have on a particular object?
On what objects does a particular party have a particular privilege?
Much of the power of the permissions system comes from the flexibility of the model. The assertions
described above are not the only input. Each privilege can imply some set of privileges. In addition,
each ACSObject can have a security context from which it inherits privilege grants. This security
context is just another ACSObject. Groups provide a way of aggregating users and the permissions
system pays attention to group membership.
The power of the permissions system comes from the interaction of these 3 hierarchies: group mem-
bership, security context, and privilege implication. Taking these 3 together, the assertion that p has
privilege priv on object obj means that p is a party or a member of a party (at any depth) that was
granted priv or a privilege implying privilege priv on object obj or any parent of obj in the security
context hierarchy.
3.4. Kernel Resources
Resource is a base class in the kernel that represents a user-accessible resource that may serve as a
data container. Resources are organized into a parent-child hierarchy. By default, resources set their
security context to their parent resource.
Currently, the two subclasses of resource are Application (which is web accessible) and Portlet
(which is accessible through Red Hat Portal Server). All Resources have a ResourceType which is
uniquely determined by the specific object type of the Resource. ResourceType has metadata that
is used by some generic navigation and administrative interfaces.