Skip to content

Commit

Permalink
Link custom Oak restrictions in README
Browse files Browse the repository at this point in the history
  • Loading branch information
kwin authored Oct 22, 2024
1 parent df9c737 commit d210929
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/Configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,7 @@ permission | the permission (either `allow` or `deny`) | yes
privileges | the privileges (`jcr:read, rep:write, jcr:all, crx:replicate, jcr:addChildNodes, jcr:lifecycleManagement, jcr:lockManagement, jcr:modifyAccessControl, jcr:modifyProperties, jcr:namespaceManagement, jcr:nodeTypeDefinitionManagement, jcr:nodeTypeManagement, jcr:readAccessControl, jcr:removeChildNodes, jcr:removeNode, jcr:retentionManagement, jcr:versionManagement, jcr:workspaceManagement, jcr:write, rep:privilegeManagement`). References: [Oak Privileges](https://jackrabbit.apache.org/oak/docs/security/privilege/default.html) [JCR Privileges](https://docs.adobe.com/content/docs/en/spec/jcr/2.0/16_Access_Control_Management.html#16.2.3%20Standard%20Privileges) [AEM Privileges](https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/user-group-ac-admin#privileges) | either actions or privileges need to be present; also a mix of both is possible
actions | the actions (`read,modify,create,delete,acl_read,acl_edit,replicate`). Usually it is better to directly use privileges since [Java API for CqActions](https://www.adobe.io/experience-manager/reference-materials/6-5/javadoc/com/day/cq/security/util/CqActions.html) is deprecated. Also see documentation for [Actions](https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security.html?lang=en#actions). | either actions or privileges need to be present; also a mix of both is possible
repGlob |A [repGlob expression](https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Built-in_Restrictions) like "/jcr:*". Please note that repGlobs do not play well together with actions. Use privileges instead (e.g. "jcr:read" instead of read action). See [issue #48](https://github.com/Netcentric/accesscontroltool/issues/48). If the globbing expression starts with an asterisk, it has to be put between quotes. Using `repGlob` is a shortcut for `rep:glob` in sub element `restrictions` | no
restrictions|An associative array of restriction entries. Each entry uses the restriction name as key (e.g. `rep:glob`) and a literal as value. Values for multi-valued restrictions (like e.g. `rep:ntNames`) are also given as YAML string literals with commas separating each value (not using YAML arrays, in line with how isMemberOf is configured). Arbitrary restrictions are supported as long as they are supported by the underlying repository on which the installation takes place (validated before installation starts). For an overview of supported restrictions in different Oak versions see: [Oak Restriction Management](https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Built-in_Restrictions). Available from version 1.9.0.| no
restrictions|An associative array of restriction entries. Each entry uses the restriction name as key (e.g. `rep:glob`) and a literal as value. Values for multi-valued restrictions (like e.g. `rep:ntNames`) are also given as YAML string literals with commas separating each value (not using YAML arrays, in line with how isMemberOf is configured). Arbitrary restrictions are supported as long as they are supported by the underlying repository on which the installation takes place (validated before installation starts). For an overview of built-in restrictions in different Oak versions see: [Oak Restriction Management](https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Built-in_Restrictions). Additional restrictions are provided by [Sling Oak Restrictions](https://sling.apache.org/documentation/bundles/sling-oak-restrictions.html) and [AEM Advanced Restrictions](https://github.com/IBM/aem-advanced-restrictions). Available from version 1.9.0.| no
initialContent | Allows to specify [enhanced docview xml](https://jackrabbit.apache.org/filevault/docview.html) to create the path if it does not exist. The namespaces for jcr, sling and cq are added automatically if not provided to keep xml short. Initial content must only be specified exactly once per path (this is validated). If paths without permissions should be created, it is possible to provide only a path/initialContent tuple. See also [Providing Initial Content](AdvancedFeatures.md#providing-initial-content) | no
keepOrder | Defaults to false - use carefully only for special use cases as described in [Use Manual ACL Ordering](AdvancedFeatures.md#use-manual-acl-ordering) | no

Expand Down

0 comments on commit d210929

Please sign in to comment.