Nodes and ACLs
A system is broken down into nodes, each of which is a system function or set of functions. These nodes are arranged in a branched hierarchical structure, similar to a directory tree.
The top or trunk node, called host, is a container for all the functions in the system. The branches of this node are containers for the functions of individual host servers. Within those containers are nodes that are containers for individual roots. There is one in a Windows system and one or more in a UNIX system.
Within the root nodes are nodes for functions that are available at the root level. There are also nodes that are containers for the functions of individual sites within the roots.
In a system with advanced security, each node has its own ACL (Access Control List).
An ACL lists the users who are granted access to the node. It also defines specific permissions for each user. A permission determines which operations that user can perform at that node.
Similar to nodes, ACLs are hierarchical. Thus, permissions set at any high-level node are automatically extended to all the nodes contained within that node. For example, when advanced security is set up, an ACL is defined for the application node within the system root node. Then, the system security administrator can perform security-related functions.
The permissions set in the ACL for the application node are automatically extended to all the nodes within the application. This also applies to nodes have no ACLs of their own. For example, hciguisiteinit, hciaclrolemgr, hcicertmgr, and hciauditlog.
Nodes within nodes can have ACLs of their own. These can be different from the parent ACLs, with different users and different permissions for the same user.
For example, a system administrator is listed in the ACL for the host node and is granted all permissions. That same administrator could be denied all permissions in the ACL for the application node, so that security administration can be independent of server administration.
The parallel hierarchical structure of nodes and ACLs has these advantages:
- It enables the security administrator to control access to each component of the system individually.
- It provides a parent-child framework that simplifies administration. By default, the ACL for any parent node is automatically applied to any child nodes.
With advanced security, system access can be fine-tuned to the exact degree that is required. You can avoid the task of defining ACLs node by node, and define one ACL that applies to a whole family of nodes. Then you can define exceptions for individual nodes within the family.
All database files are stored under $HCIROOT\security\data\cl_acls.