ACL Entries
An ACL consists of ACL entries. An ACL entry consists of a subject and an action.
This topic explains how to update an ACL by configuring ACL entries.
Class structure of an ACL entry
The following diagram illustrates the structure of the classes used for processing an ACL entry with the Kii Cloud SDK.
Subject and action
An ACL entry consists of a subject and an action.
Subject
A subject defines "to whom" the permission is to be granted.
The subject can be one of the following:
Any existing user.
Any existing group.
Any existing thing.
Any authenticated users (any users who are logged in and any things with the access tokens).
Anonymous users (any users or things, either with or without their access tokens).
The "any authenticated user" and "anonymous users" are only entities usable as an ACL entry's subject; you cannot specify them in other usages (e.g. login). The KiiAnyAuthenticatedUser and KiiAnonymousUser, used in the client SDKs, only have the relationship with KiiSubject (and do not have any relationship with KiiUser).
Action
An action defines "which action" the permission allows to the subject.
The table below lists the actions for ACL entries. The action names vary depending on the SDK but the content is the same. The names listed in this table are used with the REST APIs.
Target | Action | Description |
---|---|---|
Scope | CREATE_NEW_BUCKET | Create buckets in the scope. |
CREATE_NEW_TOPIC | Create topics in the scope. | |
Bucket | CREATE_OBJECTS_IN_BUCKET | Create KiiObjects in the bucket. |
QUERY_OBJECTS_IN_BUCKET | Query KiiObjects in the bucket. | |
READ_OBJECTS_IN_BUCKET | Read KiiObjects in the bucket. | |
DROP_BUCKET_WITH_ALL_CONTENT | Drop the bucket with KiiObjects in it. | |
KiiObject | READ_EXISTING_OBJECT | Read the KiiObject. |
WRITE_EXISTING_OBJECT | Update and delete the KiiObject. | |
Topic | SUBSCRIBE_TO_TOPIC | Subscribe to the topic. |
SEND_MESSAGE_TO_TOPIC | Send push messages to the topic. |
The class chart above does not include a class for the scope actions because only the REST APIs can modify the scope ACL.
A bucket, KiiObject, and topic have a different set of actions. The BucketAction, ObjectAction, and TopicAction represent actions achievable on a bucket, KiiObject, and topic, respectively.
Change request for an ACL
In order to update an ACL, you create new and/or changed ACL entries on the client and send a change request to Kii Cloud.
For example, suppose that a KiiObject on the server has four ACL entries and you need to delete Bob's write permission and add Charlie's read permission.
The KiiACLEntry
class of the Kii Cloud SDK has a boolean value grant
as a parameter in addition to a subject and an action. grant
specifies if the permission should be granted or revoked.
On the client, create an ACL entry with grant=true
for the permission to be granted and another ACL entry with grant=false
for the permission to be revoked. Send the created ACL entries to the server to update the KiiObject's ACL.
Updating an ACL in the developer portal
You can customize only a bucket's ACL in the developer portal.
For more information, see Changing an existing bucket's ACL.