4 — Creating Model Files

[Previous] [Next] [Contents] [Index]

The NetCrusader/Web Authorization Object feature depends on two files: the object definition file and the ACL definition file. This chapter describes the purpose of these files and how to create them. It includes the following sections:

4.1 Overview of Model Files
4.2 Understanding Object Models
4.3 Object Definition File
4.4 Understanding ACL Models
4.5 ACL Definition File
4.6 Next Steps

4.1 Overview of Model Files

Before you begin scripting or coding, you must decide whether you will:

• Use the default object and ACL (Access Control List) models
  
• Define custom object and ACL model
  
• Do both
  

You then create two small text files for each model: the object definition file and the ACL definition file. (These files must exist as a pair; that is, one of each for each model.)

NetCrusader/Web uses these files to build, configure, and set the initial access on the Authorization Object.

The following sections describe what these files are and how to create them. You can view samples of these files in the model subdirectory of the NetCrusader/Web installation directory (for example, C:\Program Files\Gradient\NetCrusader\model) and use these files as templates.

NOTE: Before you start, you need to know the name of the directory in which the NetCrusader/Web Security Adapter is installed so that you can store the model files in the correct directory. You must have write permission to that directory or must have a system administrator store the files in that directory for you once you have created them.

4.2 Understanding Object Models

An object model describes the structure of resources for which access will be authorized. In the NetCrusader/Web Authorization Object environment, the object model describes the structure of objects in a project, application, object, or any virtual system that will use the Authorization Object.

4.2.1 Default and Custom Object Models

You can work with the default object model or define a custom object model, describing objects that exist under the root object. You can define an arbitrarily deep hierarchy of objects. By defining your own object model, you can represent any real or conceptual objects that exist in your web application, and then apply access control to these objects.

4.2.2 Object Model Structure

The object model contains two types of nodes: directories (containers) and objects. These objects may be directory containers themselves or leaf nodes. A leaf node is a node that has no further division (that is, there are no child objects).

Throughout this document we refer to sample applications to illustrate how to use the NetCrusader/Web Authorization Object. The description of the sample application which follows starts to describe the object model structure for the application.

Sample Banking Application

For our banking application we choose to use a custom object model. We define a directory object, under root, named Banking, which contains the leaf node objects Savings, Checking, Money Market, and so on, as illustrated in Figure 4-1.

Figure 4-1: Custom Object Model for Banking Application

This definition of the objects in the banking application is our object model. (We could also define subdirectories to further partition the object model, if desired.) Because we are describing objects under the root, we are defining a custom object model.

4.3 Object Definition File

You use the object definition file to specify a custom object model to be used in your application. If you are using the default object model, you do not need to create this file.

4.3.1 Object Definition File Syntax

The syntax for the object definition file is similar to the XML syntax standard for "well-formed" XML, the simplest form of XML, requiring no DTD. If you are familiar with HTML or XML, the file syntax will look familiar. For example:

• You may enter comments using the open comment (<!--) and close comment (-->) tags. You may place comments anywhere except in the middle of a tag specification.

• The close symbol (/) can be either in the same line as its starting tag (recommended; clearer) or on a different line, as long as the starting tag and close symbol form a pair.

The file begins with a <MODEL> tag and ends with a </MODEL> tag.

You use <OBJ> and <DIR> tags to define object nodes and directory nodes, respectively.

You do not need to specify the root directory. The nodes on the first level are created off the root directory by default.

Tag names are case-insensitive. In the sample files provided with NetCrusader/Web, tag names often appear in uppercase letters to make the tag stand out.

The attribute names within a tag, however, are case-sensitive. For example, in the following example for the sample banking application, the attributes Checking, Savings, and Money Market are case sensitive.

Sample Banking Application Example 1

The object definition file for the banking application introduced in Section 4.2 is as follows:

<MODEL>
   <OBJ Name="Checking"/>
   <OBJ Name="Savings"/>
   <OBJ Name="Money Market"/>
/MODEL>

The <MODEL> tag starts the object model specification block, and </MODEL> ends it.

Sample Banking Application Example 2

<MODEL>
  <DIR Name="Grandparent">
     <!-- This is a comment -->
     <DIR Name="Parent">
         <DIR Name="Child">
           <OBJ Name="Grandchild"/>
         </DIR>
         <OBJ Name="Sibling 1"/>
         <OBJ Name="Sibling 2"/>
    </DIR>
    <OBJ Name="Uncle"/>
    <DIR Name="Aunt">
      <OBJ Name="Cousin"/>
    </DIR>
  </DIR>
</MODEL>

You begin a directory specification with the <DIR> tag and close it with the</DIR> tag. Objects and directories specified between the open and close directory tags are contained within that directory. The object model specified in Example 2 would have a hierarchical structure as shown in Figure 4-2.

Figure 4-2: Object Model Tree for Banking Example 2

4.3.3 Saving the Object Definition File

1. Use a text editor to create your object definition file. See Section 4.3.1 and Section 4.3.2 for general information on creating the file.

2. Save the file as:

   <install_dir>\model\<model_name>\object.txt
   

   The <install_dir> path is where the NetCrusader Security Adapter has been installed. By default this path is C:\Program Files\Gradient\NetCrusader. If you are not the system administrator, you may need to ask where the Security Adapter has been installed. If you do not have permission to write to the installation directory, the system administrator can move the file for you.

   The <model_name> is the name that you provide as the name of your web application when you call the InitModel function. See Chapter 3 for more details on initializing the Authorization Object.

   For example, in our sample banking application, we use Bank as the application name.

3. Using NetCrusader Commander, verify that the objects have been created. If you need help using NetCrusader Commander, see the Commander online help.

NOTE: The object definition file and the ACL definition file must exist as a pair; that is, there must be one of each for each model.

4.4 Understanding ACL Models

The ACL model is the set of permissions associated with a set of objects. For example, read, write, and execute are operations typically associated with files.

NetCrusader security features a default ACL model, which any application can use. The default NetCrusader ACL model applies to all objects by default.The default ACL model automatically gives you the permissions listed in Table 4-1.

Table 4-1: ACL Model Reserved Permissions

Symbol	Name
c	ACL Control
t	ACL Test
I	Inherited ACL
D	Delete Explicit ACL

These four permissions are always available, even when you define a custom model. They are reserved permissions, used by NetCrusader to manage models, that you cannot define in custom models.

The default model also includes the permissions in Table 4-2. These permissions are not available automatically in custom models. That is, if you want to use any of the permissions in this table, you must define them.

Table 4-2: Default ACL Model Automatic Permissions

Symbol	Name
l	List
r	Read
w	Write
x	Execute
T	Traverse (for directories or containers)

4.4.1 Custom ACL Models

In addition to the default ACL model, you can define your own custom ACL models. If you define a custom ACL model, you can define permissions specific to your application.

Custom models replace the default ACL model. If you want to use any of the pre-defined permissions (listed in Table 4-2), you must define them yourself. For example, if you are creating a custom ACL model and want to use r, w, or x, you must define these permissions in your custom model.

When an instance of the Authorization Object is created, it can have only one model associated with it. To use multiple models in your application, create multiple instances of the model.

To create a custom ACL model, you create a text file that defines the permissions for the model as well as the model's scope (portion of the object tree protected by this model).

Sample Banking Application

For example, in our sample banking application, appropriate permissions might include Deposit, Withdraw, Check Balance, Transfer, Create Account, Close Account, Hold Check, and so on.

4.5 ACL Definition File

If you choose to define a custom ACL model, you must create an ACL definition file. The ACL definition file is where you define the set of application-specific actions whose access is to be controlled (permissions) and the default permissions (default rights) granted to a group or individual.

Sample Banking Application

Some examples of application-specific actions for the sample banking application are Deposit, Withdraw, Check Balance, Transfer, Create Account, Close Account, Hold Check, and so on. The groups for our banking application might include customers, tellers, and so on.

4.5.1 When the ACL Definition File is Used

The default permissions are used only the first time that an instance of the object model is created. At that time, a permission store, an area for containing permissions, is created. All subsequent instances of the model use the permission data defined in this already-existing permission store.

The ACL file is not used again unless you delete the permission store (the ACL database). Any edits you make to the ACL change the ACL database.

4.5.2 ACL Definition File Syntax

Like the syntax for the object definition file, the syntax for the ACL definition file follows the XML syntax standard for "well-formed" XML, the simplest form of XML, requiring no DTD (Section 4.3.1 on page 45).

Any line whose leading character is not < is treated as a comment line. You cannot break lines.

4.5.3 Structure of the ACL Definition File

The ACL file starts with a <ACLModel> tag and ends with an </ACLModel> tag. It contains two blocks: one for defining the permission set (<PERMS>) and one for defining the default ACL model (<DEFAULT>).

Sample Banking Application Example 3

The following is an example of the ACL definition file for the sample banking application.

<ACLModel>

<PERMS>

   <perm syb='a' name="Add Account" />
   <perm syb='x' name="Delete Account" />
   <perm syb='d' name="Deposit" />
   <perm syb='w' name="Withdrawl" />
   <perm syb='v' name="View Account" />

This is a comment line

</PERMS>

<DEFAULT>

   <defAcl type="group" id="wccs-admin" permissions="ct" />
   <defAcl type="group" id="service" permissions="axdwv" />
   <defAcl type="group" id="teller" permissions="dwv" />
   <defAcl type="group" id="customer" permissions="v" />
   <defAcl type="unauthenticated" />
   <defAcl type="any_other" />

</DEFAULT>

</ACLModel>

In the <PERMS> block:

• The <PERM> tag begins the permission definition section.

• The syb attribute associates a one-character symbol with a permission type.

• The name attribute gives a meaningful description to the permission type.

For example, the following line associates the one-character abbreviation "a" with the permission for adding an account.

<perm syb='a' name="Add Account" />

The name attribute is the string that appears in the NetCrusader Management tool, and can be empty, but this is not recommended.

The valid permissions are a-z and A-Z. However, four permissions are reserved by the underlying authorization library (see Table 4-1 on page 48). These permissions are automatically created in every model. Do not use the symbols (one-character abbreviations) of these permissions for your custom permissions.

4.5.3.2 The <default> Block

NOTE: The groups and users you specify the <DEFAULT> block of the ACL Definition File must already exist prior to initializing the model for the first time.

In the <DEFAULT> block:

• The <defAcl> tag defines the default ACL.

• The type attribute, which is mandatory, indicates the type of role for which permissions are being defined. Valid types are group, user, foreign_user, foreign_group, foreign, unauthenticated, and any_other. (The type any_other means "none of the above" or "all else.")

• The id attribute indicates which entity's permissions are being defined. For example, if the ACL type is user, this field would specify the user name. With entries where this field is unnecessary (for example, unauthenticated) you may specify the attribute as an empty string ("") or omit the id attribute

• The permissions attribute sets the permissions. It is a concatenation of the single character symbols of each of the permissions being granted by default to the role whose permissions you are defining. If you specify an empty string ("") or if you omit this attribute, no permissions will be granted to this default type.

For example, the following line gives the service group a, x, d, w, and v permissions:

  <DEFACL Type="group" Id="service" Permissions="axdwv" />

When you specify the <DEFAULT> block, you must include a line that assigns the reserved permissions to the principal or group with administrative privileges. For example, the following line assigns the ACL control (c) and ACL test (t) permissions to the wccs-admin group.

 <defAcl type="group" id="wccs-admin" permissions="ct" />

NOTE: At least one user must always have control (c) and ACL test (t) permission. If the only user with these permissions is deleted, you will not be able to edit ACLs.

4.5.4 Creating the ACL Definition File

1. Use a text editor to create your ACL definition file. See Section 4.5.2 and Section 4.5.3 for general information on creating the file.

2. Save the file as:

   <install_dir>\model\<Model Name>\acl.txt
   

   The <install_dir> path is where the NetCrusader Security Adapter has been installed. By default this path is C:\Program Files\Gradient\NetCrusader

   If you are not the system administrator, you may need to ask where the Security Adapter has been installed. If you do not have permission to write to the installation directory, the system administrator can move the file for you.

   The <Model Name> is the name of your model. This is the name that you provide as the name of your web application when you call the InitModel function. See Chapter 3 for more details on initializing the Authorization Object.

Tags that are not block tags (for example, <perm> and <defAcl> in the Model Definition File) have a closing character ("/") and must be in a single line.

NOTE: The object definition file and the ACL definition file must exist as a pair; that is, there must be one of each for each model.

Sample Banking Application

In our sample banking application, we use Bank as the application name. We would save the file as:

<install_dir>\model\Bank\acl.txt

After creating the object definition file and ACL model file (if required), you are ready to develop your application. Chapter 2 describes this process.

[Previous] [Next] [Contents] [Index]

To make comments or ask for help, contact support@entegrity.com.

Copyright © 2000-2002 Entegrity Solutions Corporation & its subsidiaries