User Operations
- Add user
- Deny request if the user already exists
- Delete user
- Deny request if the user does not exist
- Automatically remove the user from all groups
- Automatically remove all resource Access Control Entries (ACEs) that refer to the user
Note: ACEs with wildcard actors, such as
allow:U*:read, are not automatically removed.
Group Operations
- Add group
- Deny request if the group already exists
- Delete group
- Deny request if the group does not exist
- Deny request if any users still belong to the group
- Automatically remove all resource ACEs that refer to the group
Note: ACEs with wildcard actors are not automatically removed.
- Add user to group
- Deny request if the user or group does not exist
- Deny request if the user already belongs to the group
- Remove user from group
- Deny request if the user or group does not exist
- Deny request if the user is not a member of the group
Resource Access Rule Operations
- Delete resource class
- Deny request if the class contains any resource access rules
- Add resource rule
- Deny request if the rule already exists in the given class
- Delete resource rule
- Deny request if the rule does not exist
- Deny request if the rule contains any ACEs
- Add ACE to resource rule
- Deny request if the rule or actor (user or group) does not exist
- Deny request if the rule already contains an ACE for the given actor
- Delete ACE from resource rule
- Deny request if the rule or actor does not exist
- Deny request if the ACE does not exist in the specified rule
