Page History

...

The APIlayer will call the APICheckers to see if the user is allowed to invoke this API
. The PolicyBasedAccessChecker :: checkAccess(user, apiName) will check following:
— Find all groups the user belongs too: groupIDs = 1
— Find all 'Effective' policies the groups are associated to: policies = 1, 6
— If any policy 'Allows' the startVirtualMachine API, grant permission to make this call: Policy Id 6 and Permission Id 3 allow the API to be invoked for this user.

Entity Access Check

...

The @ACL annotation invokes the SecurityChecker implementation

...

. The PolicyBasedAccessChecker:: checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) is invoked for the given user account and VM Id for action 'startVirtualMachine'
---The PolicyBasedAccessChecker figures allows the 'startVirtualMachine' access to this VM Id if any of the account's policy allows it for this VM.
— In this case, since this is a regular user, if user is the owner of the VM, then he is granted access.