Define an ACL Rule for a Resource Class Action

Permission to execute an extension service operation is controlled by an AclRule contained in the ResourceClassAction.

An ACL rule specifies the access controls that apply to a ResourceClassAction. Access controls can be defined for any of the following principals:

■	an individual user
■	a member of a specified organization
■	any user whose role includes a specific right
■	any resource defined by the service that created the ACL rule

Rights for specific entity types are specified in the following container elements:

ServiceResourceAccess	This specification is optional.
OrganizationAccess	Access for the organizations. This specification is required.
PrincipalAccess	Access control for users, or for any role that includes a specified right. This specification is required.

If the Access element in any of these containers has the value Entity, the container must also include an Entity element that provides a reference to a resource entity, organization, user, or right.

ACL Rules
Container Element	Access	Comments
ServiceResourceAccess	Shared	The action is authorized for all resources in this resource class
ServiceResourceAccess	Entity	The action is authorized for the service resource referenced in the Entity element in this container.
OrganizationAccess	Shared	The action is authorized for all members of the organization that owns the resource.
	Published	The action is authorized for all members of any organization in the cloud.
	Entity	The action is authorized for members of the organization referenced in the Entity element in this container.
PrincipalAccess	Shared	The action is authorized for all users
PrincipalAccess	Entity	The action is authorized for the User referenced in the Entity element in this container, or for any role that includes the Right referenced in the Entity element in this container.

A ResourceClassAction can include an arbitrary number of AclRule elements. The action is permitted if the user or resource attempting the action matches any rule.

Prerequisites

This operation is restricted to system administrators.

Procedure

1	Retrieve the XML representation of the resource class action. This request retrieves the XML representation of the resource class action created in Example: Define an Action for a Resource Class: GET https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268
2	Examine the response to find the Link for specifying ACL rules for the resource class action. This Link has the following form: <vcloud:Link rel="add" type="application/vnd.vmware.vcloud.query.aclRule+xml" href="https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268/aclrules" />
3	Construct an AclRule element. See the request portion of Example: Define an ACL Rule for a Resource Class Action for information about the contents of this element.
4	POST the AclRule element to the URL described in Step 2.

Example: Define an ACL Rule for a Resource Class Action

This example adds an ACL rule to the resource class action created in Example: Define an Action for a Resource Class. The rule specifies that all members of a specific organization who have a role that includes a specific right can execute the action.

Request:

POST https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268/aclrules
Content-type: application/vnd.vmware.admin.aclRule+xml
<?xml version="1.0" encoding="UTF-8"?>
<vmext:AclRule
   xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5"
   xmlns:vcloud="http://www.vmware.com/vcloud/v1.5"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   name="ACL rule for read backups">
   <Description>Only users in org/26 who have right/2 can read backups</Description>
   <vmext:ServiceResourceAccess>
      <vmext:Access>Shared</vmext:Access>
   </vmext:ServiceResourceAccess>
   <vmext:OrganizationAccess>
      <vmext:Access>Entity</vmext:Access>
      <vmext:Entity
         xsi:type="vcloud:ResourceReferenceType"
         type="application/vnd.vmware.admin.organization+xml"
         href="https://vcloud.example.com/api/admin/org/26" />
   </vmext:OrganizationAccess>
   <vmext:PrincipalAccess>
      <vmext:Access>Entity</vmext:Access>
      <vmext:Entity
         xsi:type="vcloud:ResourceReferenceType"
         type="application/vnd.vmware.admin.right+xml"
         href="https://vcloud.example.com/api/admin/right/2" />
   </vmext:PrincipalAccess>
</vmext:AclRule>

The response contains information supplied in the request, along with several Link elements created by the server.

Response:

201 Created
Content-Type: application/vnd.vmware.admin.aclrule+xml
...
<vmext:AclRule
   xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5"
   xmlns:vcloud="http://www.vmware.com/vcloud/v1.5"
   name="ACL rule for read backups"
   id="urn:vcloud:aclRule:5"
   type="application/vnd.vmware.admin.aclRule+xml"
   href="https://vcloud.example.com/api/admin/extension/service/aclrule/5">
   <Description>Only users in org/26 who have right/2 can read backups</Description><vcloud:Link
    <vcloud:Link
      rel="remove"
      href="https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268" />
   ...
</vmext:AclRule>