Identities for policies and rolemaps

In a policy or rolemap, you specify one or more principals.

The following kinds of principals are supported:
  • User
  • Group
  • Role (granted permission in a policy, mapped to other principal kinds in a rolemap)
  • Everyone
  • Owner-user
  • Owner-group

All kinds of principals, except Role, may appear as the right-hand-side of a role mapping. Roles do not nest.

For users and groups, we allow identities from the VOB server's domain only: you cannot specify a user or group from another domain. Group principals can be any group defined by the operating system of the VOB server; they are not limited to VOB's primary and supplementary groups.

The Owner-User and Owner-Group principal kinds are interpreted relative to the controlled object. For example, if the effective ACL from the rolemap attached to an element grants Owner-Group some permission, then accounts with membership in the element's group are granted that permission.

The User and Group principals are stored in the VOB database using the underlying operating system identity (UID/GID on Linux, SID on Windows). The identities are converted to and from text when displayed, edited, or modified. For interoperation between Windows and Linux, the client system shows users and groups mapped from the VOB server's namespace into the client's namespace.