In OpenGroupware the ACLs applied to an object are stored in the "
object_acl" table. If, for example, I want to add the list, view, read, write, and administer privileges for the team 11,530 for object 1,6829,810 the correct SQL to execute is:
INSERT INTO object_acl
(object_acl_id, sort_key, action, object_id, auth_id, permissions)
VALUES (nextval('key_generator'), 0, 'allowed', 16829810, 11530, 'lvrwa')
The important points are:
- Use the "key_generator" sequence to assign the "object_acl_id" value. This is the object id of the ACL itself; all object ids are assigned from the key_generator sequence.
- The value of "sort_key" is always 0. This value isn't actually used for anything.
- The value of "action" must be either "allowed" or "denied". In most cases "allowed" is what you want in order to grant access.
- "object_id" is the object id of the object to which the ACL is applied in contrast to "auth_id" is the context to which the privileges, specified in "permissions", are either granted [if "action" is "allowed"] or revoked [if "action" is "denied"]. The value of "auth_id" should be the object id of an account or a team.
- The permissions string is always lower case. Permission flags are documented in WMOGAG.
The ACLs in "
object_acl" are the primary access control mechanism for all entities excepting Projects and Appointments.
