| # Set principal-based access control (see SLING-8602), requires |
| # o.a.s.repoinit.parser 1.2.8 and |
| # o.a.s.jcr.repoinit 1.1.14 |
| # precondition for o.a.s.jcr.repoinit: |
| # repository needs to support 'o.a.j.api.security.authorization.PrincipalAccessControlList' |
| # Also, this only works for users selected by the Jackrabbit/Oak FilterProvider, see |
| # https://jackrabbit.apache.org/oak/docs/security/authorization/principalbased.html#configuration |
| |
| set principal ACL for principal1,principal2 |
| remove * on /libs,/apps |
| allow jcr:read on /content |
| |
| deny jcr:write on /apps |
| |
| # Optional nodetypes clause |
| deny jcr:lockManagement on /apps, /content nodetypes sling:Folder, nt:unstructured |
| # nodetypes clause with restriction clause |
| deny jcr:modifyProperties on /apps, /content nodetypes sling:Folder, nt:unstructured restriction(rep:itemNames,prop1,prop2) |
| remove jcr:understand,some:other on /apps |
| |
| # multi value restriction |
| allow jcr:addChildNodes on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured) |
| |
| # multiple restrictions |
| allow jcr:modifyProperties on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured) restriction(rep:itemNames,prop1,prop2) |
| |
| # restrictions with glob patterns |
| allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat,/cat/,cat) |
| allow jcr:addChildNodes on /apps,/content restriction(rep:glob,cat/,*,*cat) |
| allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat/*,*/cat,*cat/*) |
| |
| allow jcr:something on / restriction(rep:glob) |
| end |
| |
| # Principal-based ACL syntax with options (SLING-6423) |
| set principal ACL for principal1,principal2 (ACLOptions=mergePreserve) |
| remove * on /libs,/apps |
| allow jcr:read on /content |
| end |
| |
| # With multiple options |
| set principal ACL for principal1,principal2 (ACLOptions=mergePreserve,someOtherOption,someOther123,namespaced:option) |
| remove * on /libs,/apps |
| allow jcr:read on /content |
| end |
| |
| # repository level |
| set principal ACL for principal1,principal2 |
| allow jcr:namespaceManagement on :repository |
| end |
| |
| set principal ACL for principal1 |
| allow jcr:all on :repository,/content |
| end |