OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

351

352

353

354

355

356

357

358

359

360

Using Access Control Lists

Note: If you do not create an unauthenticated mask, unauthenticated principals

are denied all access to objects. If a user is unauthenticated because that

user has no DCE credentials, then the only entry that the user matches is

the any_other entry type, which is then masked by the unauthenticated

mask. This means that, for such unauthenticated users to have any access

to an object, the object’s ACL must contain an any_other type entry and

an unauthenticated mask entry.

An example of mask usage follows. For a particular object, there are a great number of

ACL entries specifying rw access to that object. You need to restrict the access to

read-only, temporarily, but do not want to change all the ACL entries. Simply creating

a mask_obj mask of r, and then removing it when you are done, provides the temporary

restriction.

28.2.6 ACL Entry Types for Dissimilar DCE Releases

The extended entry type provides a generic format for ACL entries that allows future

DCE releases to implement new ACL entry types. Because the new types are

‘‘packaged’’ in the generic format of the extended entry, earlier DCE releases can copy,

display, and print the new entry types even if they cannot interpret their meaning.

Section 28.4 tells how to copy extended entries. Note that extended entries cannot be

modiﬁed; however, they can be deleted.

An extended ACL entry has the following form:

{extended uuid.ndr.ndr.ndr.ndr.number_of_bytes.data permissions}

where:

uuid A UUID that identiﬁes the entry type of the extended ACL

entry. (This UUID can identify one of the ACL entry types

described in this document or an as-yet-undeﬁned ACL entry

type.)

ndr.ndr.ndr.ndr A Network Data Representation (NDR) format label (in

hexadecimal format and separated by dots) that identiﬁes the

encoding of data.

number_of_bytes A decimal number that speciﬁes the total number of bytes in

data. It is followed by a dot.

data The ACL data in hexadecimal format. (Each byte of ACL data

is two hexadecimal digits.) The ACL data includes all of the

ACL entry speciﬁcation except the permissions. The ACL data

is not interpreted; it is assumed that the ACL manager to which

the data is being passed can understand that data.

permissions The permissions to be granted by the entry.

124243 Tandem Computers Incorporated 28− 11