Permission to execute an extension service operation is controlled by an AclRule contained in the ResourceClassAction.
- an individual user
- a member of a specified organization
- any user whose role includes a specific right
- any resource defined by the service that created the ACL rule
Rights for specific entity types are specified in the following container elements:
- ServiceResourceAccess
- This specification is optional.
- OrganizationAccess
- Access for the organizations. This specification is required.
- PrincipalAccess
- Access control for users, or for any role that includes a specified right. This specification is required.
If the Access element in any of these containers has the value Entity, the container must also include an Entity element that provides a reference to a resource entity, organization, user, or right.
| Container Element | Access | Comments |
|---|---|---|
| ServiceResourceAccess | Shared | The action is authorized for all resources in this resource class |
| Entity | The action is authorized for the service resource referenced in the Entity element in this container. | |
| OrganizationAccess | Shared | The action is authorized for all members of the organization that owns the resource. |
| Published | The action is authorized for all members of any organization in the cloud. | |
| Entity | The action is authorized for members of the organization referenced in the Entity element in this container. | |
| PrincipalAccess | Shared | The action is authorized for all users |
| Entity | The action is authorized for the User referenced in the Entity element in this container, or for any role that includes the Right referenced in the Entity element in this container. |
A ResourceClassAction can include an arbitrary number of AclRule elements. The action is permitted if the user or resource attempting the action matches any rule.
Prerequisites
This operation is restricted to system administrators.
Procedure
Example: Define an ACL Rule for a Resource Class Action
This example adds an ACL rule to the resource class action created in Define an Action for a Resource Class. The rule specifies that all members of a specific organization who have a role that includes a specific right can execute the action.
POST https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268/aclrules
Content-type: application/vnd.vmware.admin.aclRule+xml
<?xml version="1.0" encoding="UTF-8"?>
<vmext:AclRule
xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5"
xmlns:vcloud="http://www.vmware.com/vcloud/v1.5"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
name="ACL rule for read backups">
<Description>Only users in org/26 who have right/2 can read backups</Description>
<vmext:ServiceResourceAccess>
<vmext:Access>Shared</vmext:Access>
</vmext:ServiceResourceAccess>
<vmext:OrganizationAccess>
<vmext:Access>Entity</vmext:Access>
<vmext:Entity
xsi:type="vcloud:ResourceReferenceType"
type="application/vnd.vmware.admin.organization+xml"
href="https://vcloud.example.com/api/admin/org/26" />
</vmext:OrganizationAccess>
<vmext:PrincipalAccess>
<vmext:Access>Entity</vmext:Access>
<vmext:Entity
xsi:type="vcloud:ResourceReferenceType"
type="application/vnd.vmware.admin.right+xml"
href="https://vcloud.example.com/api/admin/right/2" />
</vmext:PrincipalAccess>
</vmext:AclRule>
The response contains information supplied in the request, along with several Link elements created by the server.
201 Created
Content-Type: application/vnd.vmware.admin.aclrule+xml
...
<vmext:AclRule
xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5"
xmlns:vcloud="http://www.vmware.com/vcloud/v1.5"
name="ACL rule for read backups"
id="urn:vcloud:aclRule:5"
type="application/vnd.vmware.admin.aclRule+xml"
href="https://vcloud.example.com/api/admin/extension/service/aclrule/5">
<Description>Only users in org/26 who have right/2 can read backups</Description><vcloud:Link
<vcloud:Link
rel="remove"
href="https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268" />
...
</vmext:AclRule>
