OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

351

352

353

354

355

356

357

358

359

360

OSF DCE Administration Guide—Core Components

28.2.7 The Checking Sequence for ACL Entries

An ACL manager reads through a list of ACL entries to ﬁnd the particular entry that

applies to an individual who is trying to perform a particular operation. The ACL

manager ﬁrst looks for a match between the privilege attributes of the principal or

process desiring access and the privilege attributes listed in the ACL. When the ACL

manager ﬁnds a match, it examines the permissions in the matching ACL entry and

applies the mask_obj mask to it (unless it is an entry of type user_obj or other_obj)ifa

mask_obj mask exists. Finally, the ACL manager applies the unauthenticated mask (if

it exists) if the principal is not authenticated. If the permissions that result grant the

requested access, the manager grants it to the principal. If not, access is denied.

Because an ACL manager stops checking the ACL entries when it ﬁnds a match, it is

important to understand the order in which the ACLs are checked. Figure 28-3 shows

the order of checking and the masks applied. ACL managers check entries in the

following order, with the exception that the initiator principal is not checked against

..._delegate entries. Delegate principals are checked against all entries.

1. First, the ACL manager checks the user ACL entries, in the following order:

• user_obj

• user_obj_delegate

• user

• user_delegate

• foreign_user

• foreign_user_delegate

The ACL manager stops all entry checking at the ﬁrst matching user entry it ﬁnds

and applies the permissions in the entry. The user entries are checked in order as

shown in the previous list from most speciﬁc to least speciﬁc.

2. If the ACL manager does not ﬁnd a match in the user entries, it checks all of the

following group entries:

• group_obj

• group_obj_delegate

• group

• group_delegate

• foreign_group

• foreign_group_delegate

If any group ACL entries match the principal’s project list, and the logical OR of

permissions from these entries grants access, then access is granted and no further

checking is performed.

Because principals accrue permissions from all groups listed in the ACL of which

they are a member (and for which they are in the project list), all the groups are

checked and all the principal’s group permissions are logically ORed. The order

28 − 12 Tandem Computers Incorporated 124243