Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
351352353354355356357358359360
OSF DCE Administration Guide—Core Components
28.2.4 UsingPrincipal and Group ACL Entries
When a security mechanism applies ACLs, the ACL entries are chosen in a particular
order. The most specific ones are chosen before the less specific.
In using the ACL entry types for principals and groups, think of the user_obj,
group_obj, and other_obj types as being similar to the POSIX file permissions of user,
group and other. Use the user and group types to specify permissions for a specific
principal or group.
The user_obj, group_obj, other_obj, user, and group entry types apply to principals
and groups in the default cell of the ACL. To set permissions for specific principals and
groups in a foreign cell, use the foreign_user and foreign_group entries. These entries
set permissions in a foreign cell in the same way that user and group entries do in the
default cell. Use foreign_other to set permissions for others in the foreign cell, in the
same way that other_obj does for others in the default cell.
The any_other entry type sets permissions for all local and foreign principals to which
the other entry types do not apply. If any of the other types of entries are set for a local
or foreign principal either explicitly or implicitly, the any_other entry will not be
applied. This is because once the manager finds a match between a principal and an
entry, it stops examining the ACL list and applies the found entry (or in the case of
groups, entries). All other ACL entry types, except for mask types (described below), are
examined by the ACL manager to see if a match exists before the ACL manager
examines the any_other entry type. See Section 28.2.7 for details of the order of ACL
checking.
28.2.5 ACL Entry Types for Masks
Masks in ACL entries establish maximum permissions that can be granted to a principal.
There are two masks: the mask_obj mask and the unauthenticated mask. Only
permissions given in an ACL entry and the mask are granted. For example, if the ACL
entry specifies rwx permissions and the mask specifies only the x permission, the
permissions are ANDed with the mask, and only the x permission is granted.
The mask_obj mask, if it exists, applies to all entry types except user_obj and
other_obj. The unauthenticated mask is applied to all unauthenticated principals. As
the ACL manager derives the permissions from the ACL entries, it filters each one
through the mask_obj mask (if one exists), and finally through the unauthenticated
mask. The manager grants only those permissions that are in the first matching entry, the
mask_obj mask, and the unauthenticated mask.
28 10 Tandem Computers Incorporated 124243