To Assign Resource Permissions

The property screens for a security manager definition can be used for adding, editing and deleting user, group and resource definitions held in the associated external security manager (ESM), and for specifying resource permissions. This functionality is dependent on the ESM module, with which you connect to the ESM, providing support, and on the ESM honouring the requests submitted through these screens. Where such support is not available, users, groups and resources must be managed through the tools provided with your external security manager. Please check the documentation provided with your ESM module for details.

In addition to the conditions listed above, the security manager definition must be included in the security manager list that is used by MF Directory Server. See To add a security manager to the Directory server's security manager list or, if MF Directory Server is using the Default ES Security configuration, To add a Security Manager to the Default ES Security Manager List.

In order to use these property screens, your user account must have User Administration permissions. See Resource Classes for MF Directory Server for details.

Note:

Please note that the display and setting of permissions for MFDS Internal Security differs from that for other Security Managers, and is covered separately by To assign resource permissions when using MFDS Internal Security.

Click Security under Configure on the menu on the left-hand side of an Enterprise Server Administration Web page.
Click Security Managers.
Select the security manager containing the resource by clicking the relevant radio button in the Select column.
Click Edit.
Click Properties.
Click Resources.
This displays a list of available resource classes.
Click the Edit button adjacent to the resource class to which the resource belongs.
This displays a list of available resources.
Click the Edit button adjacent to the resource.
Specify the Access Control List(ACL) string for the resource.
The ACL specifies the access rights for the resource entity. Each entry in an ACL is referred to as an Access Control Entry, or ACE. These entries are separated by semi-colons.

Each ACE specifies an actor, which is a user, a wildcard pattern for users, or a group, and one or more permissions that are granted (allow) or denied (deny) to that actor. The format for the ACE is as follows:

setting:actor:action-1,...,action-n

Where:
- setting is allow or deny
- actor is the name of a user, a pattern with one or more wildcards (see Wildcards) string that will be matched against the user's name, or a group name or wildcard pattern followed by a space and the word group (eg "ADMIN group")
- action-1 through action-n are permission tokens:
  - none
  - execute
  - read
  - update
  - add
  - delete
  - control
  - alter
  - all
For example, the following ACL string:
```
allow:Test group:Execute,Read,Update,Add,Delete;allow:Operator group:Read
```
assigns the Test group execute, read, update, add and delete permissions for the resource, and assigns the Operator group read permission.
Click OK.