From 7d9de7d7a9fc0e4535ef599018355f523d9441b9 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Tue, 22 Oct 2024 14:35:57 +0200 Subject: [PATCH] Link custom Oak restrictions in README --- docs/Configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Configuration.md b/docs/Configuration.md index 9aa61f27..b9fb460f 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -204,7 +204,7 @@ permission | the permission (either `allow` or `deny`) | yes privileges | the privileges (`jcr:read, rep:write, jcr:all, crx:replicate, jcr:addChildNodes, jcr:lifecycleManagement, jcr:lockManagement, jcr:modifyAccessControl, jcr:modifyProperties, jcr:namespaceManagement, jcr:nodeTypeDefinitionManagement, jcr:nodeTypeManagement, jcr:readAccessControl, jcr:removeChildNodes, jcr:removeNode, jcr:retentionManagement, jcr:versionManagement, jcr:workspaceManagement, jcr:write, rep:privilegeManagement`). References: [Oak Privileges](https://jackrabbit.apache.org/oak/docs/security/privilege/default.html) [JCR Privileges](https://docs.adobe.com/content/docs/en/spec/jcr/2.0/16_Access_Control_Management.html#16.2.3%20Standard%20Privileges) [AEM Privileges](https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/user-group-ac-admin#privileges) | either actions or privileges need to be present; also a mix of both is possible actions | the actions (`read,modify,create,delete,acl_read,acl_edit,replicate`). Usually it is better to directly use privileges since [Java API for CqActions](https://www.adobe.io/experience-manager/reference-materials/6-5/javadoc/com/day/cq/security/util/CqActions.html) is deprecated. Also see documentation for [Actions](https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?lang=en#actions). | either actions or privileges need to be present; also a mix of both is possible repGlob |A [repGlob expression](https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Built-in_Restrictions) like "/jcr:*". Please note that repGlobs do not play well together with actions. Use privileges instead (e.g. "jcr:read" instead of read action). See [issue #48](https://github.com/Netcentric/accesscontroltool/issues/48). If the globbing expression starts with an asterisk, it has to be put between quotes. Using `repGlob` is a shortcut for `rep:glob` in sub element `restrictions` | no -restrictions|An associative array of restriction entries. Each entry uses the restriction name as key (e.g. `rep:glob`) and a literal as value. Values for multi-valued restrictions (like e.g. `rep:ntNames`) are also given as YAML string literals with commas separating each value (not using YAML arrays, in line with how isMemberOf is configured). Arbitrary restrictions are supported as long as they are supported by the underlying repository on which the installation takes place (validated before installation starts). For an overview of supported restrictions in different Oak versions see: [Oak Restriction Management](https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Built-in_Restrictions). Available from version 1.9.0.| no +restrictions|An associative array of restriction entries. Each entry uses the restriction name as key (e.g. `rep:glob`) and a literal as value. Values for multi-valued restrictions (like e.g. `rep:ntNames`) are also given as YAML string literals with commas separating each value (not using YAML arrays, in line with how isMemberOf is configured). Arbitrary restrictions are supported as long as they are supported by the underlying repository on which the installation takes place (validated before installation starts). For an overview of built-in restrictions in different Oak versions see: [Oak Restriction Management](https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Built-in_Restrictions). Additional restrictions are provided by [Sling Oak Restrictions](https://sling.apache.org/documentation/bundles/sling-oak-restrictions.html) and [AEM Advanced Restrictions](https://github.com/IBM/aem-advanced-restrictions). Available from version 1.9.0.| no initialContent | Allows to specify [enhanced docview xml](https://jackrabbit.apache.org/filevault/docview.html) to create the path if it does not exist. The namespaces for jcr, sling and cq are added automatically if not provided to keep xml short. Initial content must only be specified exactly once per path (this is validated). If paths without permissions should be created, it is possible to provide only a path/initialContent tuple. See also [Providing Initial Content](AdvancedFeatures.md#providing-initial-content) | no keepOrder | Defaults to false - use carefully only for special use cases as described in [Use Manual ACL Ordering](AdvancedFeatures.md#use-manual-acl-ordering) | no