ACEs can refer to
users or groups. They can specify an exact name or a pattern with
wildcards. They can allow or deny an access level or set of permissions.
This flexibility means that even within the single ACL belonging to the
defining rule that the MLDAP Module uses to determine whether the requested access is allowed (or what the user's effective access rights are, for a permissions query), there may be conflicting ACEs. The module applies these rules to make its access decision:
- Higher-ranked ACEs override lower-ranked ones.
- In
MLDAP ESM Module version 2, ACE ranking is determined by how many characters from the user or group name replace wildcard characters in the ACE actor name. For user Bob, an ACE that refers to
BOB outranks one that refers to
B*, which outranks one that simply specifies
*.
- In
MLDAP ESM Module version 1, or if
compatibility rule matching is enabled for version 2, the
Match Rank algorithm is used to determine how ACEs are ranked.
- Within the same rank, user ACEs override group ACEs.
- For ACEs of the same rank for the same actor (user or group), deny ACEs override allow ACEs.
- For MTO resources:
- For allow ACEs of the same rank and actor, the highest specified access level applies.
- For deny ACEs of the same rank and actor, the lowest specified access level applies (because higher levels implicitly include lower ones; so if read access is denied, update access must also be denied).
- For MFDS resources:
- Allow ACEs of the same rank and actor are combined (set union).
- Deny ACEs of the same rank and actor are combined.
