Page History

...

• create APIs : one needs @ACL(accessType = AccessType.UseEntry) on all the entities required to be used for creating the desired new entity
• update/delete APIs: These modify or operate on an entity and change its state. @ACL(accessType = AccessType.OperateEntry) should be used in these APIs on the parameter that identifies the main entity being modified.

Example:

DeployVMCmd 

...

This is a create API

...

:  Add @ACL(accessType = AccessType.UseEntry access for all entities like template, network

Start/Stop/Reboot/Destroy/AttachXXXTOVM :

...

  These are the update/delete APIs

...

.  Add @ACL(accessType = AccessType.OperateEntry) access for VM ID parameter that identifies the VM entity being operated on

IAM At Service Layer:

CS Service layer logic uses  "accountManager.checkAccess" to invoke the SecurityCheckers to do access control. Instead, one should try to use @ACL annotation on the API parameters that have to be checked for access.

This will help to funnel the calls to the IAM Service at API layer itself without invoking any service layer logic. 

But in some cases, you may need to still add such checks at Service layer. (example, when the entity you want to check access for is not exposed in the API cmd as a parameter)

...