7.3. System policies¶
Using policies in the scope “system”, it is possible to define, which administrator is allowed to set system configurations. As the system configuration also contains credentials of the UserIdResolvers, restricting the read access to the system configuration can make sense. The following policy grants read access to the system configuration:
- scope = system
- action = read
- user = <comma separated list of administrator names>
The following policy grants write access to the system configuration:
- scope = system
- action = write
- user = <comma separated list of administrator names>
System policies do not refer to any realm.
Note
If no policy with scope “system” is defined, all administrators get full access to the system configuration according to the Apache2 configuration file.
If a realm admin has no read access to the scope system, he can only retrieve the system configurations that are vital for his administrative tasks. E.g. when he tries to retrieve the list of the Realms, he will only see the realms he as certain rights in. This way you can avoid that a realm admin can see what other realms exist.