13.3. ACL Roles

⁠13.3. ACL Roles

An ACL role is a collection of permissions allowing or denying access to particular portions of the CIB.

Table 13.1. Properties of an ACL Role

Attribute	Description
`id`	A unique name for the role (required)
`description`	Arbitrary text (not used by Pacemaker)

An acl_role element may contain any number of acl_permission elements.

Table 13.2. Properties of an ACL Permission

Attribute	Description
`id`	A unique name for the permission (required)
`description`	Arbitrary text (not used by Pacemaker)
`kind`	The access being granted. Allowed values are `read`, `write`, and `deny`. A value of `write` grants both read and write access.
`object-type`	The name of an XML element in the CIB to which the permission applies. (Exactly one of `object-type`, `xpath`, and `reference` must be specified for a permission.)
`attribute`	If specified, the permission applies only to `object-type` elements that have this attribute set (to any value). If not specified, the permission applies to all `object-type` elements. May only be used with `object-type`.
`reference`	The ID of an XML element in the CIB to which the permission applies. (Exactly one of `object-type`, `xpath`, and `reference` must be specified for a permission.)
`xpath`	An XPath specification selecting an XML element in the CIB to which the permission applies. Attributes may be specified in the XPath to select particular elements, but the permissions apply to the entire element. (Exactly one of `object-type`, `xpath`, and `reference` must be specified for a permission.)

Important

Permissions are applied to the selected XML element’s entire XML subtree (all elements enclosed within it).
Write permission grants the ability to create, modify, or remove the element and its subtree, and also the ability to create any "scaffolding" elements (enclosing elements that do not have attributes other than an ID).
Permissions for more specific matches (more deeply nested elements) take precedence over more general ones.
If multiple permissions are configured for the same match (for example, in different roles applied to the same user), any deny permission takes precedence, then write, then lastly read.