[
https://issues.apache.org/jira/browse/SLING-7061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16131965#comment-16131965
]
Bertrand Delacretaz commented on SLING-7061:
--------------------------------------------
Does the following syntax look appropriate for this, or do you have a better
suggestion?
{code}
set repository ACL for principal1, principal2
allow jcr:somePermission
deny jcr:anotherPermission
end
{code}
> Access control setup of repository-level permissions (i.e. null path)
> ---------------------------------------------------------------------
>
> Key: SLING-7061
> URL: https://issues.apache.org/jira/browse/SLING-7061
> Project: Sling
> Issue Type: Improvement
> Components: Repoinit
> Reporter: angela
>
> If I am not mistaken it is currently not possible to create access control
> setup for principals at the 'null' path, which according to JSR 283 is to be
> used to setup repository level permissions such as
> - node type definition management (i.e. registering new node types)
> - namespace management (i.e. registering new namespaces)
> - privilege management (i.e. registering new privileges)
> - workspace management (i.e. creating/removing workspaces)
> All of these operations are not bound to a path (like e.g. removing an item
> or creating a new version for a given node) but instead take global effect on
> the whole JCR repository... that's why permissions for these operations
> cannot be granted at a given path.
> In the default authorization model shipped with Jackrabbit and Oak the -null-
> path access control policy is stored with a dedicated _rep:repoPolicy_ node
> located with the root node and
> For service user definitions we need to be able to define entries for the
> -null- path policy for the reasons explained above. Thanks for extending the
> repo-init accordingly.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
