Security Resources to Control ESCWA and API Access

You can create user view permissions for functional areas of ESCWA by specifying an Access Control List (ACL) string for the listed resource entities.

Use the allow:*:read and deny:*:read to grant permissions to groups or users as required. See Access Levels and Permissions for more information.

The following list of default resource entities can be found under the Common Web Administration resource class in the default ESCWA security configuration:

Configuration
Provides access to reading and modifying configuration properties for the Common Web Administration server.

The subsequent resource entities relating to configuration are more specific versions of this entity.

Read, add, update, and delete permissions are queried, depending on the action you want to perform.

The ACL string for this resource entity:

allow:#DSAdmin group:update,add,delete;allow:*:read
ESCWA Configuration
Provides access to general configuration properties for the Common Web Administration server. Specific version of the configuration entity which relates to the BasicConfig, TraceConfig, and AuditConfig sections of the ESCWA configuration file.

The ACL string for this resource entity:

allow:#DSAdmin group:update,add,delete;allow:*:read
Communications Server Log
Provides access to Communications Server Log for the Common Web Administration server. Read permission is checked to see if a user can view the communications log for the ESCWA process.

The ACL string for this resource entity:

allow:#DSAdmin group:read
Control
Provides control of the Common Web Administration server. Execute permission is checked to see if a user can shutdown the ESCWA process from an API, or view the list of current ESCWA sessions.

The ACL string for this resource entity:

allow:#DSAdmin group:execute
K8s Configuration
Provides access to kubernetes configuration properties for the Common Web Administration server. Specific version of the Configuration entity which relates to the K8sConfig section of the ESCWA configuration file.

This is an optional part of the configuration file.

The ACL string for this resource entity:

allow:#DSAdmin group:update,add,delete;allow:*:read
Logon
Provides access control to any ESCWA page preventing it from loading without specific user access. If access is not granted, the ESCWA application still loads and the logon screen is displayed but any further page access is impossible, including any API access.

The ACL string for this resource entity:

allow:*:execute
[2]
Mainframe Access Access
Provides access to Mainframe functionality via the Common Web Administration server. Read permission is checked to see if a user can view the MAINFRAME tab in the ESCWA user interface, and use any of the corresponding APIs relating to pages under this node.

The ACL string for this resource entity:

allow:*:read,update,add,delete,execute
Managed Access
Provides access to Managed functionality via the Common Web Administration server. Read permission is checked to see if a user can view the ES .NET tab in the ESCWA user interface, and use any of the corresponding APIs relating to pages under this node.

The ACL string for this resource entity:

allow:*:read,update,add,delete,execute
MFDS Configuration
Provides access to the MFDS configuration properties for the Common Web Administration server. Specific version of the configuration entity which relates to the MfdsList section of the ESCWA configuration file.

The ACL string for this resource entity:

allow:#DSAdmin group:update,add,delete;allow:*:read
Native Access
Provides access to Native functionality via the Common Web Administration server. Read permission is checked to see if a user can view the NATIVE tab in the ESCWA user interface, and use any of the corresponding APIs relating to pages under this node.

The ACL string for this resource entity:

allow:*:read,update,add,delete,execute
Scale-out Configuration
Provides access to scale-out configuration properties for the Common Web Administration server. Read permissions checked to see if a user can install a PAC to a region. The Directory Server resources will then be checked for that user to see if they can modify that region.

Specific version of the Configuration entity, which relates to the LogicalGroupList, SorList, and PacList sections of the ESCWA configuration file.

The ACL string for this resource entity:

allow:#DSAdmin group:update,add,delete;allow:*:read
Security Access
Provides access to Security functionality via the Common Web Administration server. Read permission is checked to see if a user can view the SECURITY tab in the ESCWA user interface, and use any of the corresponding APIs relating to pages under this node.

The ACL string for this resource entity:

allow:*:read,update,add,delete,execute
Security Configuration
Provides access to security configuration properties for the Common Web Administration server. Specific version of the configuration entity which relates to the SecurityConfig and ESMList sections of the ESCWA configuration file.

The ACL string for this resource entity:

allow:#DSAdmin group:update,add,delete;allow:*:read
Server Configuration Access
Provides access to Enterprise Server Administration Configuration functionality via the Common Web Administration server. Read permissions is checked to see if a user can view the configuration spanner and dialog in the ESCWA user interface, and use any of the corresponding APIs relating to this dialog.

The ACL string for this resource entity:

allow:*:read,update,add,delete,execute
User Administration
Provides access to user administration via the Common Web Administration server. Update permission is checked to see if a user can administer a security manager.

Update permissions checked to see if a user can change the active security configuration used by ESCWA.

The ACL string for this resource entity:

allow:#DSAdmin group:read,update,add,delete