Page History

...

The APIlayer will call the APICheckers to see if the user is allowed to invoke this API. The PolicyBasedAccessChecker :: checkAccess(user, apiName) will check following: —

• Find all groups the user belongs too: groupIDs = 1

...

• Find all 'Effective' policies the groups are associated to: policies = 1, 6

...

• If any policy 'Allows' the startVirtualMachine API, grant permission to make this call: Policy Id 6 and Permission Id 3 allow the API to be invoked for this user.

Entity Access Check

The @ACL annotation invokes the SecurityChecker implementation. The PolicyBasedAccessChecker:: checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) is invoked for the given user account and VM Id for action 'startVirtualMachine' ---

• The PolicyBasedAccessChecker figures allows the 'startVirtualMachine' access to this VM Id if any of the account's policy allows it for this VM.

...

• In this case, since this is a regular user, if user is the owner of the VM, then he is granted access.