Permission to execute an extension service operation is controlled by an AclRule contained in the ResourceClassAction.

An ACL rule specifies the access controls that apply to a ResourceClassAction. Access controls can be defined for any of the following principals:

an individual user

a member of a specified organization

any user whose role includes a specific right

any resource defined by the service that created the ACL rule

Rights for specific entity types are specified in the following container elements:

ServiceResourceAccess

This specification is optional.

OrganizationAccess

Access for the organizations. This specification is required.

PrincipalAccess

Access control for users, or for any role that includes a specified right. This specification is required.

If the Access element in any of these containers has the value Entity, the container must also include an Entity element that provides a reference to a resource entity, organization, user, or right.

ACL Rules

Container Element

Access

Comments

ServiceResourceAccess

Shared

The action is authorized for all resources in this resource class

Entity

The action is authorized for the service resource referenced in the Entity element in this container.

OrganizationAccess

Shared

The action is authorized for all members of the organization that owns the resource.

Published

The action is authorized for all members of any organization in the cloud.

Entity

The action is authorized for members of the organization referenced in the Entity element in this container.

PrincipalAccess

Shared

The action is authorized for all users

Entity

The action is authorized for the User referenced in the Entity element in this container, or for any role that includes the Right referenced in the Entity element in this container.

A ResourceClassAction can include an arbitrary number of AclRule elements. The action is permitted if the user or resource attempting the action matches any rule.

Verify that you are logged in to the vCloud API as a system administrator.

1

Retrieve the XML representation of the resource class action.

This request retrieves the XML representation of the resource class action created in Example: Define an Action for a Resource Class:

GET https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268
2

Examine the response to find the Link for specifying ACL rules for the resource class action.

This Link has the following form:

<vcloud:Link
      rel="add"
      type="application/vnd.vmware.vcloud.query.aclRule+xml"
      href="https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268/aclrules" />
3

Construct an AclRule element.

See the request portion of Example: Define an ACL Rule for a Resource Class Action for information about the contents of this element.

4

POST the ResourceClassAction element to the URL described in Step 2.

This example adds an ACL rule to the resource class action created in Example: Define an Action for a Resource Class. The rule specifies that all members of a specific organization who have a role that includes a specific right can execute the action.

Request:

POST https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268/aclrules
Content-type: application/vnd.vmware.admin.aclRule+xml
<?xml version="1.0" encoding="UTF-8"?>
<vmext:AclRule
   xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5"
   xmlns:vcloud="http://www.vmware.com/vcloud/v1.5"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   name="ACL rule for read backups">
   <Description>Only users in org/26 who have right/2 can read backups</Description>
   <vmext:ServiceResourceAccess>
      <vmext:Access>Shared</vmext:Access>
   </vmext:ServiceResourceAccess>
   <vmext:OrganizationAccess>
      <vmext:Access>Entity</vmext:Access>
      <vmext:Entity
         xsi:type="vcloud:ResourceReferenceType"
         type="application/vnd.vmware.admin.org+xml"
         href="https://vcloud.example.com/api/admin/org/26" />
   </vmext:OrganizationAccess>
   <vmext:PrincipalAccess>
      <vmext:Access>Entity</vmext:Access>
      <vmext:Entity
         xsi:type="vcloud:ResourceReferenceType"
         type="application/vnd.vmware.admin.right+xml"
         href="https://vcloud.example.com/api/admin/right/2" />
   </vmext:PrincipalAccess>
</vmext:AclRule>

The response contains information supplied in the request, along with several Link elements created by the server.

Response:

201 Created
Content-Type: application/vnd.vmware.admin.aclrule+xml
...
<vmext:AclRule
   xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5"
   xmlns:vcloud="http://www.vmware.com/vcloud/v1.5"
   name="ACL rule for read backups"
   id="urn:vcloud:aclRule:5"
   type="application/vnd.vmware.admin.aclRule+xml"
   href="https://vcloud.example.com/api/admin/extension/service/aclrule/5">
   <Description>Only users in org/26 who have right/2 can read backups</Description><vcloud:Link
    <vcloud:Link
      rel="remove"
      href="https://vcloud.example.com/api/admin/extension/service/resourceclassaction/268" />
   ...
</vmext:AclRule>