OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

341

342

343

344

345

346

347

348

349

350

OSF DCE Administration Guide—Core Components

DCE permissions can be set for the following:

• Owner, group, and other

• Speciﬁc individual principals in the local cell and in foreign cells

• Speciﬁc individual groups in the local cell and in foreign cells

• Any other principals in a speciﬁc foreign cell for whom individual permissions have

not been set

• Any principals in any cell who have been authenticated by the DCE Authentication

Service

• Delegate users, servers, or groups, in local or foreign cells

• Unauthorized users

ACLs also provide a masking capability and a method for integrating protections from

DCE versions that are different from the current version.

File systems are frequently designed to provide access permissions for ﬁle system

objects, such as ﬁles and directories. ACLs in DCE are more extensive. In DCE, many

objects can have ACLs and be assigned permissions. DCE ACLs control access to

objects managed by DCE components, like the Distributed File Service, the DCE

Security Service, and the DCE Directory Service.

ACLs for the security service (the component that controls accounts) can, for example,

authorize certain principals to change all of the information associated with an account,

authorize other principals to change only a subset of the information associated with

accounts, and restrict other principals from changing any of the information associated

with accounts.

DCE can support particular sets of permissions that correspond to particular types of

objects. For example, for containers there can be an ‘‘insert’’ permission that other

objects, such as principals, do not need. This extensive usage of ACLs is in contrast to

that of POSIX systems, for example, where only ﬁle system objects are protected by

permission bits, with a standard set of permissions (read, write, and execute) being used.

The DCE control program has a command, acl permissions, that shows the permissions

speciﬁc to the ACL associated with the named object.

28.1.1 ACL Managers

An ACL manager is that portion of a server that handles ACLs. One ACL manager can

support several different types of ACLs. From a more abstract point of view, each ACL

type is supported by a corresponding ACL manager type. Informally, ACL manager

types are sometimes called ACL managers. Figure 28-1 shows ACL managers in

servers.

The client side allows you to connect to any server exporting the ACL interface so that

one program can manipulate all ACLs. The DCE control program and the acl_edit

command use the feature.

28 − 2 Tandem Computers Incorporated 124243