Skip to content

DBAzine.com

Sections
Personal tools
You are here: Home » 10g » Oracle10g Articles » Storing XML Data » Access Control Lists on Files copied in via Web Folders
Who Are You?
I am a:
Mainframe True Believer
Distributed Fast-tracker

[ Results | Polls ]
Votes : 3550
 

Comment

Above in this comment thread: Storing XML Data

Access Control Lists on Files copied in via Web Folders

Posted by pjeynes at 2005-12-14 12:24 PM
Hi. Thanks for the very informative article. I've a question on access control lists and XML DB repository.

I've created a folder in the XML DB repository, FTPed an ACL into the repository and assigned the ACL to the folder - something like:

...
status := dbms_xdb.CreateFolder('/my_folder');

dbms_xdb.setAcl('/my_folder','/sys/acls/my_list_acl.xml')

The ACL list looks like this:

<acl description="Protected:All privileges to OWNER and PAUL" xmlns="http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav="DAV:" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/xdb/acl.xsd http://xmlns.oracle.com/xdb/acl.xsd">
<ace>
<principal>dav:owner</principal>
<grant>true</grant>
<privilege>
<all/>
</privilege>
</ace>
<ace>
<principal>PAUL</principal>
<grant>true</grant>
<privilege>
<all/>
</privilege>
</ace>
<ace>
<principal>PUBLIC</principal>
<grant>true</grant>
<privilege>
<dav:read />
</privilege>
</ace>
</acl>

If I connect via web folders as PAUL and copy a Word doc into the repository, I can edit it fine. If I then connect as AN_OTHER, I can still edit the Word doc. I expected the ACL list to stop this as AN_OTHER would be classed under PUBLIC. Is this not the case? Is the above ACL wrong or is something else happening?

Cheers,

Paul.

Access Control Lists on Files copied in via Web Folders

Posted by mscardina at 2005-12-16 04:32 PM
Your "read" ACL should restrict updating or replacing the original document. It, of course, does not prevent AN_OTHER from editing the document in his version of Word. I suggest that you query the privledges granted to AN_OTHER as follows:

SELECT DBMS_XDB.getPrivileges('/my_folder').getClobVal() FROM DUAL;

If the result shows AN_OTHER only has read privledges yet he can update the repository, then there maybe a configuration issue. WEBDAV support is built on top of the XML functionality that this article covers. For additional help in this area, I suggest you visit theOTN XMLDB Forum at http://forums.oracle.com/forums/forum.jspa?forumID=34.

Access Control Lists on Files copied in via Web Folders

Posted by mscardina at 2005-12-16 04:33 PM
Your "read" ACL should restrict updating or replacing the original document. It, of course, does not prevent AN_OTHER from editing the document in his version of Word. I suggest that you query the privledges granted to AN_OTHER as follows:

SELECT DBMS_XDB.getPrivileges('/my_folder').getClobVal() FROM DUAL;

If the result shows AN_OTHER only has read privledges yet he can update the repository, then there maybe a configuration issue. WEBDAV support is built on top of the XML functionality that this article covers. For additional help in this area, I suggest you visit theOTN XMLDB Forum at http://forums.oracle.com/forums/forum.jspa?forumID=34.
 
Transaction Management
Reduce downtime and increase repeat sales by improving end-user experience.
Free White Paper
Database Recovery
Feeling the increased demands on data protection and storage requirements?
Download Free Report!
 
 
Powered by Plone