...
Example:
DeployVMCmd
...
This is a create API
...
: Add @ACL(accessType = AccessType.UseEntry access for all entities like template, network
Start/Stop/Reboot/Destroy/AttachXXXTOVM :
...
These are the update/delete APIs
...
. Add @ACL(accessType = AccessType.OperateEntry) access for VM ID parameter that identifies the VM entity being operated on
CS Service layer logic uses "accountManager.checkAccess" to invoke the SecurityCheckers to do access control. Instead, one should try to use @ACL annotation on the API parameters that have to be checked for access.
This will help to funnel the calls to the IAM Service at API layer itself without invoking any service layer logic.
But in some cases, you may need to still add such checks at Service layer. (example, when the entity you want to check access for is not exposed in the API cmd as a parameter)
...