The parameters required to configure an access control list are as follows:

• service: This is an optional property that denotes the distinguished name (DN) of the Service Group for which the access control object is set. When configured for Web service interfaces and Web service operations, the top level of object in that setting must be the DN of the Service Group, using which the object is referred. When service attribute is not mentioned, the ACL set on Web service interfaces and Web service operations is applied to all the Service Groups.
• acl: This property denotes the distinguished name of a user or a role for which the access control is set.
• acobjecttree: This property represents the access control list that is set for a user or role. A generic ACL Object Tree can be defined as follows:

  <object acl="open/blocked/condition" id="aclObject"/>
  

  Here,

• TheaclObjectattribute denotes the object for which the permissions have been set. This can be the DN of a Service Group, labeled URI of a Web service interface, CN of a Web service operation, name of a table, name of a field, key of an XML Store object or DN of an LDAP object.
• The acl attribute can be
  open,
  blocked or
  condition. The
  open attribute indicates that the object can be accessed and
  blocked indicates that the object cannot be accessed. A
  condition indicates that the object is opened only if the condition defined on it is satisfied. In such cases, the condition can be defined at the object level or at its parent level. The hierarchy of object settings will be followed ifaclattribute is not specified. A lower hierarchy acl object must always be specified within the scope of a higher hierarchy object. For example, consider the following case of setting ACL on a Web service operation inside a Web service interface.

  <object>
      <object acl="blocked" id="Method Set NameSpace">
          <object id="Method CN"/>
      </object>
  </object>
  

  
  In this case, the permission set for the higher level object is applied to the lower level object also.
  
  Note: ACL can be set on Web service interfaces and Web service operations inside the Applications. For such cases, the service attribute is not set and the top level object tag will not have the id attribute.