Once clients have established a session with a Universal Messaging Realm server, and they have successfully been authenticated and the subject has the correct user entitlements, in order to perform operations on service objects, the correct entitlements must be granted to the subject on the required services. Each service has an associated ACL that contains a list of subjects and a set of privileges the subject is given for operations on the service.
Using the Enterprise Manager, one can add to, remove or modify entries within the service ACL.
To view a service ACL, click on a service node within the namespace of the Enterprise Manager, and select the 'ACL' tab. This will display the service ACL and the list of subjects and their associated permissions for the service. The following image displays and example of a service acl.
As you can see above, the service ACL has a number of subject entries and operations that each subject is able to perform on the service. The operations that can be performed on a service are described below in the order in which they appear in the acl panel above:
Manage ACL - Allows the subject to get a list of ACL entries
Full - Has complete access to the secured object
Connect - Can access this service
The green check icon shows that a subject is permitted to perform the operation. For example, the subject *@* is shown as not having any permissions for this service. This means that any client who has successfully established a session will not be allowed to connect to the p2p service unless the subject exists in the ACL.
In order to modify the permissions for a subject, you simply need to click on the cell in the ACL table for the subject and the operation you wish to modify permissions for. For example, if I wanted to allow any client to connect to this service I would simply click on the *@* row at the column labelled 'connect'. This would turn the cell from blank to a green check icon. This would also ensure that only those subjects listed in the ACL and with sufficient privileges, would be able to connect to the service.
After making any changes, you then need to click on the 'Apply' button which will notify the Realm Server of the ACL change for that service.
Any ACL changes that are made by other Enterprise Manager users, or from any programs using the Universal Messaging Admin API to modify ACLs will be received by all other Enterprise Managers. This is because ACL changes are automatically sent to all Universal Messaging Admin API clients, the Enterprise Manager being one of those clients.