Title: How do ACLs Work

Access Control Lists define permissions for users and groups. You can assign permissions settings for each permission (Login, Administer Server, Edit Stylesheets, etc.) to users and groups.

Allow vs. Deny

In setting up permissions, you can allow or deny each permission to each user or group. Any given user inherits the sum of their Allow permissions (assigned directly or through a group) minus any permission which has been denied.

If a permission is not explicitly allowed, it is not granted.

Deny always dominates over allow. For example, you can specify "Everyone allow login" and "Visitor deny login". ("Visitor" is included in the default "Everyone" group). This means that everyone but Visitors will be allowed to log in.

Important! Deny is very powerful, and can get you into trouble. You can lock everyone, yourself included, out of your journal by adding an "Everyone deny login" permission to the Server Access Control List. You can make it impossible for anyone to access server setup (where ACLs are defined) if you apply an "Everyone deny Administer Server" rule. If you do either of these things, you can contact Traction Software support for a special Owner license. This license, which is keyed to your journal, enables a special account, called Owner. Logging in as Owner with the provided Owner password will let you fix the ACLs so you can recover access.

Traction will warn you before letting you deny permissions. Please read the warnings, and think twice before clicking the apply button.

Related Articles
Article: Doc133 (permalink)
Date: March 22, 2008; 4:04:20 PM EDT
Author Name: Documentation Importer
Author ID: importer