OSF DCE Administration Guide--Core Components
Controlling Access to CDS Names
________________________________________________________________________
Entry Type Purpose
________________________________________________________________________
________________________________________________________________________
individual users named by an ACL entry of the type
foreign_user_delegate or members of a group named by
an ACL entry of the type foreign_group_delegate.
________________________________________________________________________
Specifies an ACL entry for an intermediary that acts for
authenticated principals in the local cell or in a foreign
cell who are not named by an ACL entry of any other
type for intermediaries of authenticated principals or
groups.
any_other_delegate
________________________________________________________________________
16.5 DCE Permissions Supported by CDS
CDS supports the following DCE permissions: read (r), write (w), insert (i), delete (d),
test (t), control (c), and administer (a). Each permission has a slightly different meaning,
depending on the kind of CDS name with which it is associated. In general, the
permissions are defined as follows:
• Read Permission—Allows a principal to look up a name and view the attribute
values that are associated with it.
• Write Permission—Allows a principal to change the modifiable attributes that are
associated with a name, except its ACLs.
• Insert Permission—Allows a principal to create new names in a directory (for use
with directory entries only).
• Delete Permission—Allows a principal to delete a name from the namespace.
• Test Permission—Allows a principal to test whether an attribute of a name has a
particular value without being able to actually see any of the values; that is, without
having read permission to the name.
Test permission provides application programs with a more efficient way to verify a
CDS attribute value. Rather than reading an entire set of values, an application can
test for the presence of a particular value.
• Control Permission—Allows a principal to modify the ACL entries that are
associated with a name. (Note that read permission is also necessary for modifying a
CDS entry’s ACLs; otherwise, dcecp and acl_edit will not be able to bind to the
entry.) Control permission is automatically granted to the creator of a CDS entry.
• Administer Permission—Allows a principal to issue CDS commands that control the
replication of directories. Administer permission is for use with directory entries
only.
A principal needs some permission to a name before it can try to perform management
operations on the name. Otherwise, CDS does not recognize the name when the
principal tries the management operation and returns an error stating that the name does
not exist. If the principal has some permissions, but not those required to perform the
operation, CDS returns an error explaining that the principal had insufficient rights to
124243 Tandem Computers Incorporated 16−5