| blob | 5290607d498bb06dd3dd4ca70c2210f0e20b24a7 |
3 <head>
6 <!-- OpenEMR - Adds Bootstrap to this file !-->
16 <style>
17 .font1 {
18 font-family: "Bitstream Vera Sans Mono", sans-serif !important;
19 }
21 .font2 {
22 font-family: Arial, sans-serif !important;
23 }
25 .font3 {
26 font-family: "Times New Roman", serif !important;
27 }
29 .font4 {
30 font-family: "Luxi Sans", sans-serif !important;
31 }
33 .font5 {
34 font-family: Helvetica, Arial, sans-serif !important;
35 }
37 .font6 {
38 font-family: "Courier New", sans-serif !important;
39 }
41 .font-code {
42 font-family: "Courier New", monospace !important;
43 }
45 .font-code-2 {
46 font-family: Courier, "Courier New", monospace !important;
47 }
49 .font-small {
50 font-size: small;
51 }
53 p {
54 margin-top: 0.48rem;
55 margin-bottom: 0.48rem;
56 color: #000000;
57 line-height: 1rem;
58 widows: 2;
59 orphans: 2;
60 }
62 p.western {
63 font-family: "Bitstream Vera Sans Mono", sans-serif;
64 font-size: 0.8125rem;
65 }
67 p.cjk {
68 font-family: "Times New Roman", serif;
69 font-size: 0.8125rem;
70 }
72 h1 {
73 margin-bottom: 0.25rem;
74 border-top: none;
77 border-right: none;
78 padding-top: 0;
79 padding-bottom: 0.125rem;
80 padding-left: 0.125rem;
81 padding-right: 0;
82 color: #000000;
83 widows: 2;
84 orphans: 2;
85 page-break-before: always;
86 }
88 h1.western {
89 font-family: "Arial", sans-serif;
90 font-size: 1.3125rem;
91 }
93 h1.cjk {
95 font-size: 1.3125rem;
96 }
98 h1.ctl {
99 font-family: "Arial Unicode MS";
100 font-size: 1rem;
101 }
103 h2 {
104 margin-bottom: 0.25rem;
105 color: #000000;
106 widows: 2;
107 orphans: 2;
108 }
110 h2.western {
111 font-family: "Georgia", serif;
112 font-size: 1.0625rem;
113 font-style: normal;
114 }
116 h2.cjk {
118 font-size: 1.125rem;
119 font-style: italic;
120 }
122 h2.ctl {
123 font-family: "Arial Unicode MS";
124 font-size: 1rem;
125 }
127 h3 {
128 margin-top: 0.48rem;
129 margin-bottom: 0.48rem;
130 color: #000000;
131 line-height: 1rem;
132 widows: 2;
133 orphans: 2;
134 }
136 h3.western {
138 font-size: 0.8125rem;
139 }
141 h3.cjk {
142 font-family: "Times New Roman", serif;
143 font-size: 0.8125rem;
144 }
146 h3.ctl {
147 font-family: "Arial Unicode MS";
148 font-size: 1rem;
149 }
151 h4 {
152 margin-top: 0.48rem;
153 margin-bottom: 0.48rem;
154 color: #000000;
155 line-height: 1rem;
156 widows: 2;
157 orphans: 2;
158 }
160 h4.western {
162 font-size: 0.8125rem;
163 font-style: italic;
164 }
166 h4.cjk {
167 font-family: "Times New Roman", serif;
168 font-size: 0.8125rem;
169 font-style: italic;
170 }
172 h4.ctl {
173 font-family: "Arial Unicode MS";
174 font-size: 1rem;
175 }
177 A:link {
178 color: #0000ff;
179 }
181 @media print {
182 @page {
184 margin: 1.18in;
185 }
187 p {
188 margin-top: 0.08in;
189 margin-bottom: 0.25rem;
190 line-height: 1rem;
191 }
193 p.western, p.cjk {
194 font-size: 10pt;
195 }
197 h1 {
198 margin-bottom: 0.04in;
201 padding-bottom: 0.02in;
202 padding-left: 0.02in;
203 }
205 h2 {
206 margin-bottom: 0.04in;
207 }
209 h3 {
210 margin-top: 0.08in;
211 margin-bottom: 0.25rem;
212 line-height: 1rem;
213 }
215 h4 {
216 margin-top: 0.08in;
217 margin-bottom: 0.25rem;
218 line-height: 1rem;
219 }
221 h1.western, h1.cjk {
222 font-size: 16pt;
223 }
225 h2.western {
226 font-size: 13pt;
227 }
229 h2.cjk {
230 font-size: 14pt;
231 }
233 h3.western, h3.cjk, h4.western, h4.cjk {
234 font-size: 10pt;
235 }
237 h1.ctl, h2.ctl, h3.ctl, h4.ctl {
238 font-size: 12pt;
239 }
240 }
241 .image-space {
242 content: ' ';
243 display: block;
244 }
245 </style>
246 </head>
250 <p class="text-center image-space" style="margin-top: 1rem; line-height: 100%; page-break-after: avoid;">
251 <img src="manual_html_m54d0ced8.png" id="Graphic6" class="img-responsive d-block ml-auto" width="165" height="45" alt="phpGACL Logo" />
252 </p>
255 <span class="font-weight-bold" style="font-size: x-large">Generic Access Control Lists with PHP</span>
256 </span>
257 </p>
266 </a>
267 <span class="font1">><br />Karsten Dambekalns <</span><a href="mailto:k.dambekalns@fishfarm.de">
269 </a>
271 </p>
273 <span class="font1">Copyright © 2002-2006 Mike Benoit<br />Copyright © 2003, James Russell<br />Copyright © 2003, Karsten Dambekalns</span>
274 </p>
277 </p>
279 <span class="font1">Last Updated: <strong><sdfield TYPE="datetime" sdnum="1033;1033;MMMM D, YYYY">September 3, 2006</sdfield> - <sdfield type="datetime" sdval="37761.788287037" sdnum="1033;1033;HH:MM AM/PM">06:55 PM</sdfield></strong></span>
280 </p>
285 </p>
288 </p>
291 </p>
294 </p>
297 </p>
300 </p>
303 </p>
306 </p>
309 </p>
312 </p>
314 <span class="font2"><a href="#defaccesscontrol">Defining access control with phpGACL 6</a></span>
315 </p>
318 </p>
321 </p>
325 </p>
328 </p>
331 </p>
334 </p>
337 </p>
340 </p>
343 </p>
346 </p>
349 </p>
352 </p>
355 </p>
359 </p>
363 </p>
366 of my website tree while leaving a link in the tree for
368 </p>
371 </p>
374 </p>
377 </p>
380 </p>
383 </p>
386 </p>
389 </p>
392 </p>
395 </p>
398 </p>
401 </p>
404 </p>
407 </p>
410 </p>
413 </p>
416 </p>
419 </p>
422 </p>
426 </p>
427 </div>
432 is an set of functions that allows you to apply access control to
433 arbitrary objects (web pages, databases, etc) by other arbitrary
434 objects (users, remote hosts, etc).</span>
435 </p>
437 <span class="font1">It offers fine-grained access control with simple management, and is very fast.</span>
438 </p>
442 language that is commonly used to dynamically create web pages. The
443 GACL part of phpGACL stands for Generic Access Control List.</span>
444 </p>
447 <span class="font1">phpGACL is hosted by sourceforge.net at </span><a href="http://phpGACL.sourceforge.net/">
449 </a>
450 </p>
454 requires a relational database to store the access control
455 information. It accesses this database via an abstract wrapper called
458 </a>
460 This is compatible with databases such as PostgreSQL, MySQL and
461 Oracle.</span>
462 </p>
467 </a>
470 </p>
473 Control List administration is performed by a web interface, and
474 therefore it is necessary to have a web server with PHP support, such
477 </a>
479 </p>
482 </h2>
488 </p>
492 <span class="font1"> and Karsten Dambekalns</span> <<a href="mailto:k.dambekalns@fishfarm.de"><span class="font1">k.dambekalns@fishfarm.de</span></a>>
494 </p>
498 Access Control</span>
499 </h2>
503 best way to explain access control is to use examples with real
504 things rather than trying to relate to concepts.</span>
505 </span>
506 </p>
510 is captain of the Millennium Falcon and Chewie is his second officer.
511 They've taken on board some passengers: Luke, Obi-wan, R2D2 and C3PO.
512 Han needs to define access restrictions for various rooms of the
513 ship: The Cockpit, Lounge, Engines and the external Guns.</span>
514 </span>
515 </p>
519 says: "Me and Chewie should have access to everywhere, but after
520 a particularly messy hyperdrive repair, I forbid Chewie from going
521 near the Engine Room ever again. Passengers are confined to the
523 </span>
524 </p>
528 assume from now on that access is Boolean. That is, the result of
529 looking up a person's access to a room is either ALLOW or DENY. There
530 is no middle ground.</span>
531 </span>
532 </p>
537 <span>If
539 showing who has access to where, it would look something like this (O
540 means ALLOW, X means DENY):</span>
541 </span>
542 </span>
543 </span>
544 </p>
545 <dl>
546 <dd>
557 </h3>
558 </td>
563 </span>
564 </p>
565 </td>
570 </span>
571 </p>
572 </td>
577 </span>
578 </p>
579 </td>
584 </span>
585 </p>
586 </td>
587 </tr>
593 </span>
594 </p>
595 </td>
600 </span>
601 </p>
602 </td>
607 </span>
608 </p>
609 </td>
614 </span>
615 </p>
616 </td>
621 </span>
622 </p>
623 </td>
624 </tr>
630 </span>
631 </p>
632 </td>
637 </span>
638 </p>
639 </td>
644 </span>
645 </p>
646 </td>
651 </span>
652 </p>
653 </td>
658 </span>
659 </p>
660 </td>
661 </tr>
667 </span>
668 </p>
669 </td>
674 </span>
675 </p>
676 </td>
681 </span>
682 </p>
683 </td>
688 </span>
689 </p>
690 </td>
695 </span>
696 </p>
697 </td>
698 </tr>
704 </span>
705 </p>
706 </td>
711 </span>
712 </p>
713 </td>
718 </span>
719 </p>
720 </td>
725 </span>
726 </p>
727 </td>
732 </span>
733 </p>
734 </td>
735 </tr>
741 </span>
742 </p>
743 </td>
748 </span>
749 </p>
750 </td>
755 </span>
756 </p>
757 </td>
762 </span>
763 </p>
764 </td>
769 </span>
770 </p>
771 </td>
772 </tr>
778 </span>
779 </p>
780 </td>
785 </span>
786 </p>
787 </td>
792 </span>
793 </p>
794 </td>
799 </span>
800 </p>
801 </td>
806 </span>
807 </p>
808 </td>
809 </tr>
810 </table>
811 </dd>
812 </dl>
817 <span><span>The
818 columns list the rooms that Han wants to restrict access to, and the
819 rows list the people that might request access to those rooms. More
827 </span>
828 </span>
829 </span>
830 </p>
835 <span>There is a third type of Object, the </span><strong>Access eXtention Object</strong><span> (AXO) that we'll discuss later. These objects share many attributes and are collectively referred to as Access Objects.</span>
836 </span>
837 </span>
838 </span>
839 </p>
842 <span class="font-small">Managing access using an access matrix like the one above has advantages and disadvantages.</span>
843 </span>
844 </p>
848 </span>
849 </p>
850 <ul>
851 <li>
855 very fine-grained. It's possible to control access for an individual
856 person if necessary.</span>
857 </span>
858 </p>
859 <li>
864 It's
866 stored in the intersection of the person and the room.
867 </span>
868 </span></span>
869 </span>
870 </p>
871 </ul>
875 </span>
876 </p>
877 <ul>
883 fairly simple, but what if there were thousands of passengers and
884 hundreds of places, and you need to restrict access to large groups
885 of them at once, but still retain enough fine-grained control to
886 manage access for an individual? That would mean a lot of fiddly and
887 lengthy adjustment to the matrix, and it's a difficult task to
888 verify that the final matrix is correct.</span>
889 </span>
890 </p>
891 </li>
892 <li>
896 hard to summarize or visualize. The above example is fairly simple
897 to summarize in a few sentences (as Han did above), but what if the
898 matrix looked like this?</span>
899 </span>
900 </p>
911 </h3>
912 </td>
917 </span>
918 </p>
919 </td>
924 </span>
925 </p>
926 </td>
931 </span>
932 </p>
933 </td>
938 </span>
939 </p>
940 </td>
941 </tr>
947 </span>
948 </p>
949 </td>
954 </span>
955 </p>
956 </td>
961 </span>
962 </p>
963 </td>
968 </span>
969 </p>
970 </td>
975 </span>
976 </p>
977 </td>
978 </tr>
984 </span>
985 </p>
986 </td>
991 </span>
992 </p>
993 </td>
998 </span>
999 </p>
1000 </td>
1005 </span>
1006 </p>
1007 </td>
1012 </span>
1013 </p>
1014 </td>
1015 </tr>
1021 </span>
1022 </p>
1023 </td>
1028 </span>
1029 </p>
1030 </td>
1035 </span>
1036 </p>
1037 </td>
1042 </span>
1043 </p>
1044 </td>
1049 </span>
1050 </p>
1051 </td>
1052 </tr>
1058 </span>
1059 </p>
1060 </td>
1065 </span>
1066 </p>
1067 </td>
1072 </span>
1073 </p>
1074 </td>
1079 </span>
1080 </p>
1081 </td>
1086 </span>
1087 </p>
1088 </td>
1089 </tr>
1095 </span>
1096 </p>
1097 </td>
1102 </span>
1103 </p>
1104 </td>
1109 </span>
1110 </p>
1111 </td>
1116 </span>
1117 </p>
1118 </td>
1123 </span>
1124 </p>
1125 </td>
1126 </tr>
1132 </span>
1133 </p>
1134 </td>
1139 </span>
1140 </p>
1141 </td>
1146 </span>
1147 </p>
1148 </td>
1153 </span>
1154 </p>
1155 </td>
1160 </span>
1161 </p>
1162 </td>
1163 </tr>
1164 </table>
1168 matrix is not so obvious to summarize, and it's not clear to the
1169 reader why those access decisions might have been made in the first
1170 place.</span>
1171 </span>
1172 </p>
1173 </li>
1174 </ul>
1175 <h2 class="western" id="defaccesscontrol"><span class="font1">Defining access control with phpGACL</span></h2>
1178 seems that for large or complex situations, this 'access matrix'
1179 approach is clearly unsuitable. We need a better system that
1182 to summarize, and difficult to manage large groups of people at
1183 once). One solution is phpGACL.</span>
1184 </p>
1189 phpGACL
1190 doesn't describe access from the 'bottom-up' like the Access Matrix
1191 above. Instead, it describes it 'top-down', like the textual
1192 description of Han's access policy. This is a very flexible system
1193 that allows you to manage access in large groups, it neatly
1196 </span>
1197 </span></span>
1198 </span>
1199 </p>
1204 <span>An
1207 access). This is very similar to a tree view of folders and files.
1208 The 'folders' are the Groups and the 'files' are AROs.</span>
1209 </span>
1210 </span>
1211 </span>
1212 </p>
1216 make an ACL tree for the people on Han's ship. First we define some
1217 categories for the people. It's clear that Han and Chewie run the
1218 ship, and the rest of them are just passengers:</span>
1219 </span>
1220 </p>
1229 </span>
1230 </p>
1234 tree by itself doesn't specify any access policy; it just shows how
1235 we're grouping the people who might request access (AROs).</span>
1236 </span>
1237 </p>
1240 apply access restrictions by assigning instructions about a
1241 particular room (ACO) to Groups or AROs in the tree. Han says: "By
1242 default, no-one should be allowed access to any room on the
1243 Millennium Falcon. But the Crew should have access to every room. The
1245 </p>
1251 <span>Millennium
1252 Falcon Passengers<br />├─Crew </span><strong>[ALLOW: ALL]</strong><span><br />│
1253 ├─Han<br />│ └─Chewie<br />└─Passengers </span><strong>[ALLOW:
1256 </span>
1257 </span>
1258 </span>
1259 </span>
1260 </p>
1263 <span class="font-small">To interpret this ARO tree, we start from the top and work our way down.</span>
1264 </span>
1265 </p>
1269 the default policy is always to deny access. Permissions have been
1273 only to the Lounge.</span>
1274 </span>
1275 </p>
1280 This
1281 way of describing the access policy is much clearer than the access
1282 matrix. You can easily see who has access to what, and it's easier to
1284 and Chewie would have access to everything, since they're grouped
1286 </span>
1287 </span></span>
1288 </span>
1289 </p>
1293 </span>
1294 </p>
1295 <ul>
1301 <strong>Access Control Objects </strong><span>(ACOs) are the things we want to control access to (e.g. web pages, databases, rooms, etc).</span>
1302 </span>
1303 </span>
1304 </span>
1305 </p>
1306 <li>
1311 <strong>Access
1312 Request Objects</strong><span> (AROs) are the things that
1313 request access (e.g. people, remote computers, etc)</span>
1314 </span>
1315 </span>
1316 </span>
1317 </p>
1318 <li>
1324 and AROs. Groups can contain other Groups and AROs.</span>
1325 </span>
1326 </span>
1327 </span>
1328 </p>
1329 <li>
1333 default 'catch-all' policy for the ARO tree is always "DENY
1335 </span>
1336 </p>
1337 <li>
1341 assign access policy, work your way down the tree, explicitly
1342 assigning permissions to Groups and AROs for each ACO as the need
1343 arises.</span>
1344 </span>
1345 </p>
1346 </ul>
1347 <h2 class="western" id="finegrainacccontrol"><span class="font1">Fine-grain access control</span></h2>
1352 indirectly given him access to the Engines! He doesn't want that
1353 after what Chewie recently did to the hyperdrive, so he adds a rule
1354 to disallow this:</span>
1355 </span>
1356 </p>
1362 <span>Millennium
1368 </span>
1369 </span>
1370 </span>
1371 </span>
1372 </p>
1376 is an example of the way you can control access policy in a
1377 fine-grained manner. It is not necessary to move Chewie to another
1378 Group; we simply over-ride the access policy at a lower level.</span>
1379 </span>
1380 </p>
1383 <span class="font-small">Another example of fine-grain control happens when the Empire attacks; Han needs to let Luke man the guns, and let R2D2 repair the hyperdrive in the Engine room. He can do this by over-riding the general permissions granted by their status as a "Passenger":</span>
1384 </span>
1385 </p>
1391 <span>Millennium
1398 </span>
1399 </span>
1400 </span>
1401 </span>
1402 </p>
1405 Groups</span>
1406 </h2>
1410 can be extended to any level in the ARO tree. For example, you could
1414 be extended extra privileges (like access to the Cockpit):</span>
1415 </span>
1416 </p>
1422 <span>Millennium
1430 </span>
1431 </span>
1432 </span>
1433 </span>
1434 </p>
1437 does phpGACL determine permissions?</span>
1438 </h2>
1442 the ship's computer (running phpGACL of course) checks access, the
1443 only question it can ask itself is "Does person X have access to
1446 </span>
1447 </p>
1451 determines whether a specific person has access to a specific room by
1452 working from the top of the ARO tree towards the specified person,
1453 noting explicit access controls for that place along the way. When it
1454 reaches that person, it uses the last explicit access control it
1455 encountered as the result to return. In this way, you can define
1456 access controls for groups of people, but over-ride them further down
1457 the tree if you need to.</span>
1458 </span>
1459 </p>
1464 <strong>Example
1467 </span>
1468 </span>
1469 </span>
1470 </p>
1471 <ul>
1477 </span>
1478 </p>
1479 </li>
1480 <li>
1484 out a path to Luke:</span>
1485 </span>
1486 </p>
1487 </li>
1488 </ul>
1492 </h4>
1493 <ul>
1498 at the top of the tree and move towards Luke: The "Millennium
1499 Falcon Passengers" node doesn't say anything about any room, so
1500 do nothing here.</span>
1501 </span>
1502 </p>
1503 <li>
1510 </span>
1511 </p>
1512 <li>
1517 all.</span>
1518 </span>
1519 </p>
1520 <li>
1524 move to Luke's node, and again there's nothing there about the
1525 Lounge.</span>
1526 </span>
1527 </p>
1528 <li>
1532 nowhere left to go, so the result returned is the current value of
1534 </span>
1535 </p>
1536 </ul>
1541 <strong>Example
1544 </span>
1545 </span>
1546 </span>
1547 </p>
1548 <ul>
1554 </span>
1555 </p>
1556 <li>
1560 out a path to Chewie:</span>
1561 </span>
1562 </p>
1563 </ul>
1567 </h4>
1568 <ul>
1569 <li>
1572 say anything about anywhere, so do nothing here.</p>
1573 <li>
1579 </span>
1580 </p>
1581 <li>
1585 to Chewie's node, and there's an explicit rule saying that he
1586 doesn't have access to the Engines, so change the internal result to
1588 </span>
1589 </p>
1590 <li>
1594 nowhere left to go, so the result returned is the current value of
1596 </span>
1597 </p>
1598 </ul>
1602 you can see from the examples, if a Group doesn't explicitly specify
1603 a permission for a room, then that Group inherits the access
1604 restrictions of its parent for that room. If the root node
1607 in the above examples).</span>
1608 </span>
1609 </p>
1613 implies a couple of interesting points about the ARO tree:</span>
1614 </span>
1615 </p>
1616 <ul>
1621 ARO tree always shows the full list of the AROs. It would not make
1623 because Jabba has not been defined in this system. However, phpGACL
1624 does not check to see if AROs or ACOs exist before performing the
1625 check, so if this question was actually asked then the result would
1627 </span>
1628 </p>
1629 <li>
1633 ARO tree may not display some defined ACOs, and relies on the
1634 default setting to define access policy. For example, say Han
1636 Luke have access to the Bathroom?" would have the answer
1638 nowhere in the ARO tree does it ever explicitly mention the
1639 Bathroom. Keep in mind when examining the ARO tree that some ACOs
1640 may not be visible.</span>
1641 </span>
1642 </p>
1643 </ul>
1649 When asking phpGACL questions about access to an ACO, it is not
1650 possible to use Groups as AROs (even though it might 'seem' right).
1651 For example, it is impossible to answer the question "Do
1652 Passengers have access to Guns?" The complete answer is not a
1655 not designed to return that kind of answer.</span>
1656 </span>
1657 </span>
1658 </span>
1659 </p>
1662 groups</span>
1663 </h2>
1667 feels this ACL is starting to look a little complicated. There are so
1669 containing the people who are allowed access to the Engines and Guns.
1670 That group should contain Han and R2D2 since they're both capable of
1671 repairing the engines and guns. This means Han can remove some of
1672 those messy exceptions-to-the-rules, and that has the benefit of
1673 making the description clearer:</span>
1674 </span>
1675 </p>
1684 Guns]</strong><br /> ├─<strong>Han</strong><br /> └─<strong>R2D2</strong></span>
1685 </p>
1689 can read this as "By default, no-one has access to anywhere.
1690 Crew have access to everywhere (except Chewie, who has no access to
1691 the Engines). Passengers only have access to the Lounge, except Jedi
1692 who also have access to the Cockpit. Luke has access to the Guns too.
1694 </span>
1695 </p>
1700 <span>Most
1702 places in the ACL. It is not necessary for them to be uniquely
1703 categorized at all. This defines the policy more clearly to the
1704 reader: "Ahh, Han and R2D2 have access to the Engines and Guns
1706 </span>
1707 </span>
1708 </span>
1709 </p>
1712 people</span>
1713 </h2>
1717 goes to Cloud City to pick up Lando and get some repairs. Lando's the
1718 Millennium Falcon's previous owner, so Han reckons he qualifies as
1719 Crew. Lando also offers the services of his top engineer, Hontook,
1720 for help with repairing the ship while they're in dock.</span>
1721 </span>
1722 </p>
1727 Engines]<br />│ └─<strong>Lando</strong><br />├─Passengers [ALLOW:
1732 Guns]<br /> ├─Han<br /> ├─R2D2<br /> └─<strong>Hontook</strong></span>
1733 </p>
1737 shows how easy it is to grant new people access. If we used the
1738 original matrix scheme, we'd have to set permissions for each room
1739 for both Lando and Hontook. Instead, we simply add them to their
1740 appropriate groups and their access is implicitly and easily defined.</span>
1741 </span>
1742 </p>
1745 conflicts</span>
1746 </h2>
1749 happens if we add Chewie to the list of Engineers?</span>
1750 </p>
1762 </p>
1764 ambiguous, because now there are two paths from the root of the tree
1769 or denied?</p>
1771 multiply-grouped ARO in such a way that the ARO's access to an
1773 resolve the conflict.</p>
1775 Chewie have access to Engines?" the result returned is the
1777 phpGACL's policy). In this case the result is ALLOW, because the
1780 assigned to Chewie's Group.</p>
1783 very dangerous, and you may unwittingly provide access to
1784 inappropriate people if you allow your ACL to remain in this state.
1785 When phpGACL warns you that the ACL is inconsistent, it is best to
1786 resolve the conflicts as soon as possible to regain consistency.</p>
1788 either:</p>
1789 <ul>
1792 directive from Chewie's entry under the Crew Group.</p>
1793 <li>
1795 Chewie's entry under the Engineers Group.</p>
1796 <li>
1798 Han doesn't think him a worthy Engineer anyway.</p>
1799 </ul>
1801 Engineers list.</p>
1806 uniquely identifies each Access Object (AROs, AXOs and ACOs) with a
1807 two-keyword combination and it's Access Object type.</span>
1808 </span>
1809 </p>
1814 identifies any Access Object.</span>
1815 </span>
1816 </p>
1820 first element of the tuple is the type of Access Object (ARO, AXO or
1821 ACO).</span>
1822 </span>
1823 </p>
1829 <span>The
1831 is a user-defined string which names the general category of the
1832 Access Object. Multiple Access Objects can share the same Section
1833 name. The Section name should be short but descriptive. It's used in
1834 the user interface in selection boxes, so try not to make it too
1835 long.</span>
1836 </span>
1837 </span>
1838 </span>
1839 </span>
1840 </p>
1844 are stored in a flat namespace; they are not nestable like Groups.
1845 Sections have nothing to do with Groups or the ARO/AXO trees - they
1846 are purely a mechanism for helping to maintain large numbers of
1847 Access Objects.</span>
1848 </span>
1849 </p>
1855 <span>The
1856 third element of the tuple is a user-defined name for the Access
1859 </span>
1860 </span>
1861 </span>
1862 </span>
1863 </p>
1868 </span>
1869 </p>
1870 <p class="western" style="margin-left: 0.38in; margin-top: 0; margin-bottom: 0in; line-height: 1rem">
1875 It is commonly asked why strings are used to identify Access Objects,
1876 rather than integers which ostensibly seem faster. The answer is for
1877 legibility. It is much easier to understand:<br /> </span></span><span>
1879 'login', 'users', 'john_doe');<br /></span>
1883 </span>
1884 </span>
1885 </span>
1886 </span>
1887 </p>
1893 <span>Since
1894 it is often obvious from the context which type of Access Object we
1895 are referring to, the interface for phpGACL (and this documentation)
1898 an Access Object. However, the API requires an Access Object's
1900 function arguments (the Access Object type is usually implicit in the
1901 argument description).</span>
1902 </span>
1903 </span>
1904 </span>
1905 </span>
1906 </p>
1911 </span>
1912 </p>
1913 <ul>
1919 </span>
1920 </p>
1921 <li>
1926 </span>
1927 </p>
1928 <li>
1933 </span>
1934 </p>
1935 </ul>
1937 <ul>
1943 </span>
1944 </p>
1945 <li>
1949 </span>
1950 </p>
1951 <li>
1955 </span>
1956 </p>
1957 </ul>
1959 <ul>
1964 aco_section, aco_value, aro_section, aro_value);</span>
1965 </span>
1966 </p>
1967 <li>
1972 </span>
1973 </p>
1974 </ul>
1978 Naming Restrictions Examples:</strong></span>
1979 </span>
1980 </p>
1981 <ul>
1987 Section and Value are the same in both, but this is fine as
1988 namespaces are separate across Access Object types)</span>
1989 </span>
1990 </p>
1991 <li>
1996 Access Object type and Section are the same, but this is fine as the
1997 Values are different)</span>
1998 </span>
1999 </p>
2000 <li>
2005 </span>
2006 </p>
2007 </ul>
2011 Naming Restrictions Examples:</strong></span>
2012 </span>
2013 </p>
2014 <ul>
2021 </span>
2022 </p>
2023 <li>
2028 </span>
2029 </p>
2030 </ul>
2034 you can add a new Access Object, its Section must be defined. To add
2035 a new section, use the add_object_section() function.</span>
2036 </p>
2040 (</span>
2041 </span>
2042 </p>
2046 name,</span> A short description of what this Section is for. (e.g.
2048 </span>
2049 </p>
2054 </span>
2055 </p>
2058 <span class="font-code">int ORDER,</span> An arbitrary value which affects the order this Section appears in the UI.
2059 </span>
2060 </p>
2063 <span class="font-code">bool HIDDEN, </span>Whether this should appear in the UI or not (TRUE means that is will be hidden).
2064 </span>
2065 </p>
2068 <span class="font-code">string GROUP_TYPE) </span>The Access Object type ("aco", "aro" or "axo")</span>
2069 </p>
2075 </span>
2076 </p>
2080 ├─<strong>"Humans > Han"</strong><br />│ ├─<strong>"Aliens
2088 ├─<strong>"Humans > Han"</strong><br /> ├─<strong>"Androids
2089 > R2D2"</strong><br /> └─<strong>"Aliens > Hontook"</strong></span>
2090 </p>
2094 are just a way of categorizing Access Objects, to make the user
2095 interface more usable, and the code for acl_check() more readable.
2096 They do not affect the way phpGACL determines access to an object.
2100 </span>
2101 </p>
2105 <span class="font-small">You may need to use phpGACL for multiple independent purposes. For example, you may need to restrict user access to web pages, and also remote host access to your server. The two tasks are not related.</span>
2106 </span>
2107 </p>
2111 </span>
2112 </p>
2113 <ul>
2118 </span>
2119 </p>
2120 <li>
2123 <span class="font-small">It can use the same database but with differently named access tables. (this feature is not implemented yet).</span>
2124 </span>
2125 </p>
2126 <li>
2129 <span class="font-small">You can store the Access Objects for both purposes in the same tables, and carefully manage your list so that they don't conflict.</span>
2130 </span>
2131 </p>
2132 </ul>
2137 $gacl_options array when creating a new phpGACL class. This allows
2138 you to specify the database and table name prefixes to use:</span>
2139 </span>
2140 </p>
2147 'gacl');</span>
2148 </span>
2149 </p>
2151 <br />
2152 </p>
2156 </span>
2157 </p>
2161 implement Option 3, you must be careful, since phpGACL doesn't know
2162 the relationship between your different tasks, and it will be
2163 possible to make meaningless Access Policy Directives.</span>
2164 </span>
2165 </p>
2169 example, say Han wanted to restrict access to other ships contacting
2170 his ship's computer, in addition to restricting access to the
2171 different rooms. To do this, he might add "Luke's X-Wing
2172 Fighter" as a remote ship ARO (in addition to other ships and an
2173 ACO for the ship's computer). Because all AROs are in the same ARO
2176 which would be totally meaningless! To help reduce mistakes like
2177 this, good Section naming can make it clearer what Access Objects are
2178 for which tasks. It should be obvious to any administrator that it's
2179 meaningless to assign a Ship permission to use a Room.</span>
2180 </span>
2181 </p>
2184 3rd dimension to the permissions that can be configured in phpGACL.
2185 We've seen how phpGACL allows you to combine an ARO and an ACO (2
2186 dimensions) to create an Access Policy Directive. This is great for
2187 simple permission requests like:</p>
2189 (ACO)</p>
2191 totally optional.</p>
2193 makes it difficult to manage if there are many ACOs. If this is the
2194 case, we can change the way we look at Access Objects to manage it
2195 more easily.</p>
2197 is an AXO tree (separate from the ARO tree), with it's own Groups and
2198 AXOs. When dealing with AXOs, consider an AXO to take the old role of
2203 <ul>
2206 <li>
2208 </ul>
2210 <ul>
2213 <li>
2215 <li>
2217 </ul>
2220 projects on the website. The ARO tree consists of all the users:</p>
2225 </p>
2227 into categories in the AXO tree:</p>
2230 ├─SpamFilter2<br />│ └─AutoLinusWorshipper<br />└─Windows<br />
2232 </p>
2236 all the Linux projects, so it's possible to add an ACL that links
2237 Bob's ARO to the View ACO and the Linux AXO, and thus we can ask the
2238 question:</p>
2242 specify an AXO when calling acl_check() and a matching ACL exists
2244 with AXO's, and you call acl_check() without an AXO, it will fail.</p>
2246 calling acl_check(), acl_check() will only search ACLs containing
2247 AXO's. If no AXO is specified, only ACLs without AXOs are searched.
2248 This in theory (I haven't benchmarked) gives us a slight performance
2249 increase as well.</p>
2252 <OL>
2253 <li>
2255 root or a subdirectory of your web site. You might want to rename it
2256 to something more suitable.<br /><br /><br />
2257 </p>
2258 <p class="western"><iMG SRC="manual_html_m48c2db5c.png" name="Graphic1" class="img-responsive" width="474" height="146" /><br style="clear: left;" /></p>
2259 <li>
2261 favourite editor and set the db_type, db_host, db_user, db_password,
2262 and db_name you will be using.</p>
2263 <li>
2265 on the server.<br /><br /><br />
2266 </p>
2267 <p class="western"><img src="manual_html_m770a5a15.png" name="Graphic3" class="img-responsive" width="397" height="123"><br style="clear: left;" /></p>
2269 <li>
2271 http://yoursite.net/phpgacl/setup.php. The required tables will be
2272 installed based on your choice of database. Don't be afraid of the
2273 truckload of output, if all goes well you will see only success
2274 messages.<br /><br /><br />
2275 </p>
2276 </OL>
2277 <p class="western"><img src="manual_html_7dced6ce.png" name="Graphic4" class="img-responsive" width="519" height="504" /><br style="clear: left;" /><br /><br />
2278 </p>
2280 <li>
2282 screen and create the phpgacl/admin/smarty/templates_c directory. It
2283 must be writable by the user the webserver runs as. If you don't do
2284 this, you will not be able to use the CAL admin!</p>
2285 <li>
2287 successful setup page or surf
2289 </OL>
2292 installation</h3>
2294 phpGACL to use this copy of ADOdb.</p>
2295 <OL>
2296 <li>
2298 reflects the location of the ADOdb library in your path.</p>
2299 <li>
2301 else like adodb_x and reload the phpgacl/admin/acl_admin.php page to
2302 ensure it still works.</p>
2303 <li>
2305 phpGACL.</p>
2306 </OL>
2308 installation</h3>
2310 phpGACL to use this copy of ADOdb.</p>
2311 <OL>
2312 <li>
2314 the variables $smarty_dir and $smarty_compile_dir reflect the
2315 location of the Smarty library in your path and the template_c
2316 directory you already use.</p>
2318 phpGACL to another directory (e.g. one level up). Adjust the
2319 $smarty_template_dir so it points to the new location. If you like
2320 you can move those templates to your existing templates folder, of
2321 course.</p>
2322 <li>
2324 else like smarty_x and reload the phpgacl/admin/acl_admin.php page
2325 to ensure it still works.</p>
2326 <li>
2328 phpGACL.</p>
2329 </OL>
2331 of my website tree while leaving a link in the tree for
2332 administration?</h3>
2333 <OL>
2334 <li>
2336 <li>
2338 directory and create a symlink to the admin directory where you want
2339 the admin tool to go. For example:</p>
2341 /www/includes_directory/phpgacl/admin/ gacl</p>
2342 <li>
2344 http://yoursite.net/gacl/acl_admin.php will take you to the admin
2345 page. If it doesn't work, make sure your Webserver allows symbolic
2346 links in the website tree.</p>
2347 </OL>
2351 phpGACL in your code. It uses the ADOdb abstraction layer as well,
2352 and shows a simple way to validate a login attempt against a
2353 database.</p>
2357 include basic ACL api</span><br />
2358 <span style="color: #00cccc">include</span>('<span style="color: #008000">phpgacl/gacl.class.php</span>');<br />$<span style="color: #ff6633">gacl</span>
2360 </span>
2361 </p>
2364 = $<span style="color: #ff6633">db</span>-><span style="color: #00cccc">quote</span>($<span style="color: #ff6633">_POST</span>['<span style="color: #008000">username</span>']);<br />$<span style="color: #ff6633">password</span>
2365 = $<span style="color: #ff6633">db</span>-><span style="color: #00cccc">quote</span>(md5($<span style="color: #ff6633">_POST</span>['<span style="color: #008000">password</span>']));<br />$<span style="color: #ff6633">sql</span>
2366 = '<span style="color: #008000">SELECT name FROM users WHERE name=</span>';<br />$<span style="color: #ff6633">sql</span>
2368 password=</span>'.$<span style="color: #ff6633">password</span>;<br />$<span style="color: #ff6633">row</span>
2369 = $<span style="color: #ff6633">db</span>-><span style="color: #00cccc">GetRow</span>($<span style="color: #ff6633">sql</span>);</span>
2370 </p>
2373 <span style="color: #00cccc">if</span>($<span style="color: #ff6633">gacl</span>-><span style="color: #00cccc">acl_check</span>('<span style="color: #008000">system</span>','<span style="color: #008000">login</span>','<span style="color: #008000">user</span>',$<span
2382 </span>
2383 </p>
2385 acl_check() in this code. What does it do? Well, it</p>
2386 <ul>
2387 <li>
2389 ARO section 'user'</p>
2390 <li>
2392 section 'system'.</p>
2393 </ul>
2396 </p>
2399 admin utitlity, it will help you a lot if you run the example.php
2400 file. It contains some ACO, ARO and AXO objects, as well as some ACL
2401 defined using those objects. After running it, you should see some
2402 sample data in the admin interface.<br /><br /><br />
2403 </p>
2404 <p class="western"><img src="manual_html_4b803670.png" name="Graphic5" class="img-responsive" width="531" height="488" /><br style="clear: left;" /><br /><br />
2405 </p>
2407 back and read on...</p>
2412 defined to create an ACL.</p>
2414 available items show in the Access Control Objects list. Click the [
2415 > > ] button to add the Section-ACO to the Selected list. You
2416 may add any number of Section-ACO pairs to this list.</p>
2417 <p class="western"><img src="manual_html_m608b392a.png" name="Graphic9" class="img-responsive" width="531" height="177" /><br style="clear: left;" /><br /><br />
2418 </p>
2420 select from either the Access Request Objects list or from the ARO
2421 Groups list.</p>
2422 <p class="western"><img SRC="manual_html_157037e7.png" name="Graphic10" class="img-responsive" width="531" height="157" /><br style="clear: left;" /><br /><br />
2423 </p>
2425 for this case), provide a brief description in the Note area and then
2427 see your new ACL in the list.</p>
2429 <p class="western"><img src="manual_html_676f8c98.png" name="Graphic7" class="img-responsive" width="518" height="149" /><br style="clear: left;" />A
2430 default install provides you with two ACL sections – 'system'
2431 and 'user'. You would typically put user created ACL's (for example,
2432 those you enter via the admin interface) in the 'user' section and
2433 put ACL's generated by code in the 'system' section. However, you
2434 can use the ACL sections to provide any other logical grouping that
2435 suits your purposes.</p>
2438 return a boolean value. However, you may specify a different value
2439 or evan a string to be returned.
2440 </p>
2443 under a different scheme. You could create a separate ACL for the
2444 default login and for the special use but varying the 'return value'.
2445 If the call to acl_check is successful, you will know the cost of
2446 the login via the return value.</p>
2449 ACL to help remember it's purpose, for example “Basic
2451 <p class="western"><img src="manual_html_m4f4324cb.png" name="Graphic8" class="img-responsive" width="526" height="120" /><br style="clear: left;" /><br /><br />
2452 </p>
2457 <span class="font-small"><dfn>Access Control Object – An action that are requested to be performed.</dfn></span>
2458 </span>
2459 </p>
2465 <span class="font5">Access Request Object – An entity (for example, a user) that is requesting an action to be performed.</span>
2466 </span>
2467 </span></dfn></span>
2468 </span>
2469 </p>
2477 </span>
2478 </span></dfn></span>
2479 </span>
2480 </p>
2485 <span class="font-small">The API documentation is included in the tarball under the /docs/phpdoc/ directory.</span>
2486 </span>
2487 </p>
2492 </span>
2493 </p>
2498 </span>
2499 </p>
2501 </p>
2506 <span class="font-small">Not a problem at all. We've tested up to 100,000 AXO's and 100,000 ARO's on moderate hardware even. The performance issues come down to how well you can cache the ACL's, and how fast your database server is.</span>
2507 </span>
2508 </p>
2509 </div>
2510 </body>
2512 </html>