OMA-TS-DM_TND-V1_2_1-20080617-A(16)

To ensure that any authenticated server always can extend the Management Tree, the root ACL value for the Add command SHOULD NOT be changed. The ACL value for the Add command in the root ACL SHOULD be “*”. Any attempt by a server to modify this ACL value MAY fail with the status code (405) Command not allowed.

7.7.1.3 Changing the ACL

The rules for changing the ACL of a Node are different for Interior Nodes and Leaf Nodes.

Interior Nodes

The ACL is valid for the Node and all properties that the Node may have, i.e. the right to access the ACL is

controlled by the ACL itself. If a Server Identifier has Replace access rights according to the Node ACL then this Server Identifier can change the ACL value.

Leaf Nodes

The ACL is valid for the Node value and all properties that the Node may have, except the ACL property itself. If a Server Identifier has Replace access rights according to the Node ACL then this Server Identifier can change the Node value and all property values, but not the ACL value.

However, for both types of Nodes the right to change the ACL of the Node is also controlled by the ACL of the parent Node. Note that any parent Node is by definition an Interior Node. This makes it possible for a Server Identifier with sufficient access to a parent Node to take control of a child Node. This is a two-step process where the server first changes the ACL of the child Node and then can access the Node value, list of children or other Node properties. Note that even if a server has total access to the parent Node according to the parent’s ACL, this does not imply direct access to the child Node value. To change a child Node value the child ACL value MUST be changed first.

The ability for a Server Identifier with access to a parent Node to take control of a child Node implies that any Server

Identifier with control of the root Node can take control of the complete Management Tree. Doing so is a laborious process that involves many separate management commands being issued by the server. It also implies that, unless two Server Identifiers agree about passing authority between them, transition of authority cannot take place. This also makes ‘hostile takeovers’ of devices impossible. To provide the end user with the ability to change which Server Identifier that controls the root Node some devices MAY implement a UI for this purpose.

Servers can explicitly set ACL values by performing a Replace operation on the ACL property of any given Node. A

successful completion of such an operation is signaled by an (200) OKstatus code. If the operation fails due to lack of device memory status code (420) Device fullis returned. In addition, if the reason for failure is access violation the status code (425) Permission deniedis returned.

If a server successfully creates a new Node with the Add command the value of the Node’s ACL property is initially set to no value, e.g. <Data/>,.This means that the value is inherited from the parent Node. However, there is one exception to this rule. If a server is adding an Interior Node and does not have Replace access rights on the parent of the new Node then the device MUST automatically set the ACL of the new Node so that the creating server has Add, Delete and Replace rights on the new Node.

In cases where the above rule does not apply it is RECOMMENDED that the current Server Identifier explicitly set the new Node ACL. This is achieved by using a Replace command on the ACL URI of the new Node. The current server SHOULD set the ACL value so that itself has Delete, Get and Replace access.

Note that since the only command available to change an ACL is Replace, all existing Server Identifiers and access rights are overwritten. If a server wishes to keep the existing entries in an ACL it MUST read the ACL, perform the needed changes and then Replace the existing ACL with the new one.

7.7.1.4 Deletion of DM Server Identifier

When a DM Server Identifier is to be deleted from the device, the Management Tree MUST be scanned for Nodes with

ACL’s held by the soon to be deleted Server Identifier. The reference to this Server Identifier MUST be deleted. In the event that this process removes the only Server Identifier for a particular command on a particular Node, then this command is removed from the ACL for this Node. Note that if all commands are removed from an ACL in this process, resulting in an ACL with no value, the ACL becomes inherited (see Section 7.7.1.1).