OSF DCE Administration Guide--Core Components

Chapter 28. Using Access Control Lists

You can control access to DCE objects by using the ACL authorization mechanism.

ACLs are associated with ﬁles, directories, CDS entries, and registry objects. They can

be implemented also by arbitrary applications to control access to their internal data

objects. Each ACL consists of multiple ACL entries that deﬁne who is authorized to do

what to the object, speciﬁcally

• Who can access the object

• What kinds of access those principals or groups have to the object

• What kind of access is allowed to unauthenticated users

This chapter

• Provides an overview of ACLs.

• Describes the form and purpose of ACL entries and masks, including the sequence in

which entries are checked to derive permissions.

• Describes how to use the DCE control program (dcecp) to display, create, modify,

and delete ACL entries; to use masks; to copy ACLs; and to edit different types of

ACLs.

For detailed information on how a speciﬁc DCE component implements the ACL

authorization mechanism, see the appropriate part of this guide.

Note: In the discussions of DCE authorization in this chapter and the chapters

that follow, the term user is analogous to principal. A principal can be a

human user, server, or a machine.

28.1 Authorization Overview

An ACL contains a list of entries that specify the principals who can access an object

and the operations that those principals can perform. The principals can be named

explicitly or be members of a group that is identiﬁed in the ACL entry. The ACL is

associated with the object it protects. The operations a principal can perform are

speciﬁed by permissions.

124243 Tandem Computers Incorporated 28−1