@@ -172,7 +172,7 @@ defradb client ... --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b
172172
173173### Adding a Policy:
174174
175- We have in ` examples/dpi_policy/user_dpi_policy .yml ` :
175+ We have in ` examples/policy/dac_policy .yml ` :
176176``` yaml
177177name : An Example Policy
178178
@@ -208,7 +208,7 @@ resources:
208208
209209CLI Command:
210210` ` ` sh
211- defradb client acp policy add -f examples/dpi_policy/user_dpi_policy .yml --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
211+ defradb client acp dac policy add -f examples/policy/dac_policy .yml --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
212212```
213213
214214Result:
@@ -440,7 +440,7 @@ Error:
440440### Sharing Private Documents With Others
441441
442442To share a document (or grant a more restricted access) with another actor, we must add a relationship between the
443- actor and the document. Inorder to make the relationship we require all of the following:
443+ actor and the document. In order to make the relationship we require all of the following:
444444
4454451 ) ** Target DocID** : The ` docID ` of the document we want to make a relationship for.
4464462 ) ** Collection Name** : The name of the collection that has the ` Target DocID ` .
@@ -457,7 +457,7 @@ Note:
457457 and a relationship is formed, the subject/actor will still not be able to access (read or update or delete) the resource.
458458 - If the relationship already exists, then it will just be a no-op.
459459
460- Consider the following policy that we have under ` examples/dpi_policy/user_dpi_policy_with_manages .yml ` :
460+ Consider the following policy that we have under ` examples/policy/dac_policy_with_manages .yml ` :
461461
462462``` yaml
463463name : An Example Policy
@@ -516,7 +516,7 @@ resources:
516516
517517Add the policy:
518518` ` ` sh
519- defradb client acp policy add -f examples/dpi_policy/user_dpi_policy_with_manages .yml \
519+ defradb client acp dac policy add -f examples/policy/dac_policy_with_manages .yml \
520520--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
521521```
522522
@@ -611,7 +611,7 @@ defradb client collection docIDs --identity 4d092126012ebaf56161716018a71630d994
611611
612612Now let's make the other actor a reader of the document by adding a relationship:
613613``` sh
614- defradb client acp relationship add \
614+ defradb client acp dac relationship add \
615615--collection Users \
616616--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
617617--relation reader \
@@ -656,7 +656,7 @@ Sometimes we might want to give a specific access (i.e. form a relationship) not
656656any identity (includes even requests with no-identity).
657657In that case we can specify "* " instead of specifying an explicit ` actor ` :
658658``` sh
659- defradb client acp relationship add \
659+ defradb client acp dac relationship add \
660660--collection Users \
661661--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
662662--relation reader \
@@ -676,7 +676,7 @@ Result:
676676### Revoking Access To Private Documents
677677
678678To revoke access to a document for an actor, we must delete the relationship between the
679- actor and the document. Inorder to delete the relationship we require all of the following:
679+ actor and the document. In order to delete the relationship we require all of the following:
680680
6816811 ) Target DocID: The docID of the document we want to delete a relationship for.
6826822 ) Collection Name: The name of the collection that has the Target DocID.
@@ -695,7 +695,7 @@ how to share the document with other actors.
695695
696696We made the document accessible to an actor by adding a relationship:
697697``` sh
698- defradb client acp relationship add \
698+ defradb client acp dac relationship add \
699699--collection Users \
700700--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
701701--relation reader \
@@ -710,9 +710,9 @@ Result:
710710}
711711```
712712
713- Similarly, inorder to revoke access to a document we have the following command to delete the relationship:
713+ Similarly, in order to revoke access to a document we have the following command to delete the relationship:
714714``` sh
715- defradb client acp relationship delete \
715+ defradb client acp dac relationship delete \
716716--collection Users \
717717--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
718718--relation reader \
@@ -740,7 +740,7 @@ defradb client collection docIDs --identity 4d092126012ebaf56161716018a71630d994
740740We can also revoke the previously granted implicit relationship which gave all actors access using the "* " actor.
741741Similarly we can just specify "* " to revoke all access given to actors implicitly through this relationship:
742742``` sh
743- defradb client acp relationship delete \
743+ defradb client acp dac relationship delete \
744744--collection Users \
745745--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
746746--relation reader \
@@ -780,8 +780,55 @@ The signed token must be set on the `Authorization` header of the HTTP request w
780780
781781If authentication fails for any reason a ` 403 ` forbidden response will be returned.
782782
783- ## _ AAC DPI Rules (coming soon)_
784- ## _ AAC Usage: (coming soon)_
783+ ## Admin ACP (AAC)
784+ In addition to document access control (DAC) we have another type of access control to gate a node's operations.
785+
786+ ## AAC Usage:
787+
788+ ### Starting AAC:
789+ In order, to start admin acp the user needs to specify an "owner" identity at node startup and indicate they
790+ want to enable admin acp for the node.
791+
792+ This can be done like this:
793+ ``` sh
794+ defradb start --no-keyring --aac-enable true \
795+ --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
796+ ```
797+
798+ Note: The owner will by default have access to all the permissions.
799+
800+ ### Temporarily Disable AAC:
801+ While we do have an option to purge the entire admin acp state to delete all relationships and reset the owner,
802+ sometimes you want to preserve the entire state of the admin acp while temporarily disabling it. This can be
803+ done using the ` disable ` command like so:
804+
805+ This can be done like this:
806+ ``` sh
807+ defradb client acp aac disable \
808+ --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
809+ ```
810+
811+ Note: The identity * MUST* have the permission to be able to disable admin acp.
812+
813+ ### Re-enable AAC:
814+ To re-enable admin acp when it is temporarily disabled, use the ` re-enable ` command like so:
815+ ``` sh
816+ defradb client acp aac re-enable \
817+ --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
818+ ```
819+
820+ Note: The identity * MUST* have the permission to be able to re-enable admin acp.
821+
822+ ### Check AAC Status
823+ Admin ACP could be in various states, for example it could be ` enabled ` , ` temporarily disabled ` ,
824+ or never configured (` clean ` state).
825+ To check the status of admin acp, we have a utility ` status ` command:
826+
827+ This can be done like this:
828+ ``` sh
829+ defradb client acp aac status
830+ ```
831+
785832
786833## _ FAC DPI Rules (coming soon)_
787834## _ FAC Usage: (coming soon)_
0 commit comments