Previous topic  Top  Next topic  Print this Topic

Access Restrictions for Commands


It is also possible to restrict the OntoBroker server commands. For example, the command "shutdown" should only be executed by an administrator.

OntoBroker Commands Via Property File Realm

In this case you can put into your "" file something like

user.Joe = pwd_joe, manager

user.Jane = pwd_jane, powerUser


role.manager = ob:command:*,ob:collabserver:*

role.powerUser = ob:command:reload,ob:command:add,ob:command:del,ob:command:query

This configuration basically says that Jane is allowed to execute the OntoBroker commands


and nothing else. Joe is allowed to execute any OntoBroker commands (including "shutdown"). The permission "ob:command:*" is a so-called wildcard permission.

NOTE: If you are working with security access and you are using the wildcard permission, users who have only reading permission can also read the security ontology and therefore know which user has which permission. If you do not want this behaviour, you must not use the wildcard permission. Instead you have to manually set permission for each module.

OntoBroker Commands Via Security Module Realm

The access rights configuration of commands can also be configured with the security module realm. In this case the security ontology for the scenario above is

:- module = $security.

:- importmodule $'security-core'.


... // similar as above


// if current user U has the role "role1" (role name of any configured realm)

// then the user should be assigned to the internal roles m1all and m3read

?U:User[hasRole->{m1all,m3read}] :- _currentUser(?U) and _hasForeignRole(role1).