accesscontroltool icon indicating copy to clipboard operation
accesscontroltool copied to clipboard
verified publisher icon Netcentric

More restrictive service user rights

Open kwin opened this issue 1 year ago • 1 comments

Currently the (single) service user is used for almost all operations and grants full access to the repository.

set principal ACL for actool-service
    allow jcr:all on /
    allow jcr:all on :repository 
end

The permissions should be limited to what is actually necessary.

kwin avatar Aug 18 '24 11:08 kwin

The necessary permissions differ by functionality:

  1. Dumping Authorizables/ACLs
    • jcr:read on /home/users and /home/groups
    • jcr:readACL on /
  2. Installing ACTool configurations
    • jcr:readACL and jcr:modifyACL on /
    • jcr:read and jcr:write on /home/users/ and /home/groups
    • potentially jcr:write anywhere due to initialContent
    • jcr:read inside configurationRootPath
  3. Writing/Reading ACTool history
    • jcr:read/write on /var/statistics/actool and /apps/netcentric/achistory

kwin avatar Aug 18 '24 11:08 kwin