# security_system

### Detailed Description

With version 4.50, in addition to the existing rights system, a security system at object level (SSOL) is available. With this system, a so-called Security Descriptor (SD) can be created for each object, which refers to an Access Control List (ACL) — a list of access control entries (ACE — Access Control Entry). With an access control entry, access permissions for a user or user group for changing index data as well as changing, deleting and exporting objects can be defined.

In the DMS executor, jobs for processing the access structures for this security system are implemented. Furthermore, there is the job [dms.CheckPermission](../dms.md#dms.CheckPermission), which independently checks the access rights for a specific object regardless of the rights system used.

#### XML Format of Access Control Entries

To describe the list of access control entries, XML is used. The jobs [dms.CreateSD](../dms.md#dms.CreateSD), [dms.ReadSD](../dms.md#dms.ReadSD) and [dms.SetSD](../dms.md#dms.SetSD) use the same XML schema, which can be retrieved via [dms.GetXMLSchema](../dms.md#dms.GetXMLSchema).

**Example — List of Access Control Entries (DMSAccess)**

```xml
<DMSAccess timestamp="" version="4.50">
  <ACL ossd="" object_type="" object_id="">
    <UserACE modify_index="0" modify_object="0" delete_object="0"
             export_object="0" osuid=""/>
    <GroupACE modify_index="0" modify_object="0" delete_object="0"
              export_object="0" osgid=""/>
  </ACL>
</DMSAccess>
```
`<DMSAccess>` attributes:

`timestamp`::
Creation time of the Access Control List (Format: `YYYY-MM-DDTHH:MM:SS`).

`version`::
Product version number.

`<ACL>` attributes:

`ossd` (STRING)::
GUID of the Security Descriptor.

`object_type` (INT)::
Object type.

`object_id` (INT)::
ID of the object instance.

`<UserACE>` or `<GroupACE>` attributes:

`osuid` (STRING)::
GUID of the user (`<UserACE>`).

`osgid` (STRING)::
GUID of the user group (`<GroupACE>`).

`modify_index` (INT)::
Access type "write index data": `0` = not set, `1` = allowed, `2` = forbidden.

`modify_object` (INT)::
Access type "edit object": `0` = not set, `1` = allowed, `2` = forbidden.

`delete_object` (INT)::
Access type "delete object": `0` = not set, `1` = allowed, `2` = forbidden.

`export_object` (INT)::
Access type "export object": `0` = not set, `1` = allowed, `2` = forbidden.

#### Glossary

SSOL::
Security System at Object Level — security system at object level.

ACE::
Access Control Entry — contains the allowed or forbidden access types for a user or user group.

ACL::
Access Control List — list of all ACEs associated with an object.

SD::
Security Descriptor — for each object a Security Descriptor can be created, which identifies an ACL. For objects with SD the SSOL applies; for objects without SD the previous rights system at object type level applies.