Access Control Lists
Overview
JCR 2.0 manages the authorization in form of Access Control Lists (ACLs). Similar as for authorizables the specification does not actually define how ACLs are persisted but only defines an API on top of it. However, both Jackrabbit and Oak store authorization information inside the JCR. The following formats are supported by FileVault with these JCR implementations. For all of them the export uses enhanced FileVault DocView format based on the internal repository representation, while the import uses JCR ACL API to manually import them based on the DocView format.
Standard ACLs
The standard ACLs are stored in a node named rep:policy
below the node to which they apply. Alternatively, they are stored in a node repo:policy
on the top level for repository level policies. The detailed format is outlined at https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation-in-the-repository. They are supported by both Oak and Jackrabbit.
Closed User Groups (CUGs)
The CUG ACLs are stored in a node named cug:policy
below the node to which they apply. They are only supported in Oak.
The detailed format is outlined at https://jackrabbit.apache.org/oak/docs/security/authorization/cug.html#representation-in-the-repository.
Principal Based ACLs
The principal based ACLs are stored in a node named rep:principalPolicy
separate from the node to which they apply. The exact location depends on the implementation. They are only supported in Oak.
The detailed format is outlined at https://jackrabbit.apache.org/oak/docs/security/authorization/principalbased.html#representation-in-the-repository.