svn commit: r1770928 - /jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md

Tue, 22 Nov 2016 23:48:40 -0800 

Author: angela
Date: Wed Nov 23 07:48:09 2016
New Revision: 1770928

URL: http://svn.apache.org/viewvc?rev=1770928&view=rev
Log:
minor improvement: security documentation

Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md

Modified: 
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md
URL: 
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md?rev=1770928&r1=1770927&r2=1770928&view=diff
==============================================================================
--- 
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md 
(original)
+++ 
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md 
Wed Nov 23 07:48:09 2016
@@ -178,6 +178,10 @@ access in the restricted area:
       
     [rep:CugPolicy] > rep:Policy
       - rep:principalNames (STRING) multiple protected mandatory IGNORE
+      
+_Note:_ the multivalued `rep:principalNames` property reflects the fact 
+that CUGs are intended to be used for small principal sets, preferably 
+`java.security.acl.Group` principals. 
 
 <a name="validation"/>
 ### Validation
@@ -212,6 +216,12 @@ supports the following configuration par
 | `PARAM_RANKING`             | int            | 200      | Ranking within the 
composite authorization setup.            |
 | | | | |
 
+_Note:_ depending on other the authorization models deployed in the composite 
+setup, the number of CUGs used in a given deployment as well as other 
+factors such as predominant read vs. read-write, the performance of overall 
+permission evaluation may benefit from changing the default ranking of the 
+CUG authorization model.
+
 #### Excluding Principals
 
 The CUG authorization setup can be further customized by configuring the 
@@ -233,6 +243,10 @@ specific needs (see [below](#pluggabilit
 The following section describes how to deploy the CUG authorization model into
 an Oak repository and how to customize the `CugExclude` extension point.
 
+_Note:_ the reverse steps can be used to completely disable the CUG 
+authorization model in case it is not needed for a given repository 
+installation but shipped by a vendor such as e.g. Adobe AEM 6.3.
+
 #### Deploy CugConfiguration
 
 ##### OSGi Setup

Reply via email to