Fork me on GitHub

Access Control Lists

Overview

JCR 2.0 manages the authorization in form of Access Control Lists (ACLs). Similar as for authorizables the specification does not actually define how ACLs are persisted but only defines an API on top of it. However, both Jackrabbit and Oak store authorization information inside the JCR. The following formats are supported by FileVault with these JCR implementations. For all of them the export uses enhanced FileVault DocView format based on the internal repository representation, while the import uses JCR ACL API to manually import them based on the DocView format.

Standard ACLs

The standard ACLs are stored in a node named rep:policy below the node to which they apply. Alternatively, they are stored in a node repo:policy on the top level for repository level policies. The detailed format is outlined at https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation-in-the-repository. They are supported by both Oak and Jackrabbit.

Closed User Groups (CUGs)

The CUG ACLs are stored in a node named cug:policy below the node to which they apply. They are only supported in Oak. The detailed format is outlined at https://jackrabbit.apache.org/oak/docs/security/authorization/cug.html#representation-in-the-repository.

Principal Based ACLs

The principal based ACLs are stored in a node named rep:principalPolicy separate from the node to which they apply. The exact location depends on the implementation. They are only supported in Oak. The detailed format is outlined at https://jackrabbit.apache.org/oak/docs/security/authorization/principalbased.html#representation-in-the-repository.