Open the menu
    ```html

    Authorization

    The access control of LumisXP is based on ACL ( Access Control List ). An ACL is the set of permissions for an object that is associated with a principal (user or group). A principal can be assigned one or more permissions of an object.

    Even in scenarios of authentication integrated with other repositories (such as LDAP), Lumis needs to maintain a representation of users and groups, so that it can control user access to the different elements of the portal, such as channels, pages, and services.

    The objects that can have ACL are: Portal, Channel, Group, Page, Service, and Service Instance. These have their own ACL.

    ACL_001

    Example:

    In the ACL of the Service object, the following permissions exist:

    • Manage service security,
    • Manage service and
    • Create Service Instance.

    To the user “Administrator”, the permission Manage service security can be assigned, which implies, consequently, the other two permissions.

    To the group “Developers”, the permission Create Service Instance can be assigned.

    Allow or Deny

    It is possible to “allow” ( allow ) or “deny” ( deny ) a permission to a principal. “Denying” a permission takes precedence over “Allowing”.

    For example:

    The user “Pedro” belongs to the group “Authors”. In the ACL of “Channel A”, it is defined that the principal “Pedro” is allowed Manage Page while to the group “Authors” this same permission was denied. Since “Pedro” is in the group “Authors”, this permission will also be denied to him.

    The option to deny a permission is typically used when inheritance between the objects is enabled and, therefore, in the inherited configurations, it is desired to deny some of them.

    Inheritance

    An object can inherit the access configuration from another object, according to the hierarchy between them. The ACL inherited from the parent object can be modified in the local ACL. Below, the hierarchy between the objects of the LumisXP Server.

    ACL_002

    A channel can contain one or more channels. In this case, the child channel may inherit the access control from the parent channel.

    Permissions

    Each portal object has its set of permissions viewed in its access control. Such permissions when set, imply other permissions. Refer to the access control documentation of each object to view its permissions.

    ```