Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
361362363364365366367368369370
Using Access Control Lists
ACL entry grants rwx permissions and the mask_obj entry specifies only r and w
permission, only r and w are granted. The x permission named in the ACL entry is
ignored.
28.2.7.2 The Unauthenticated Mask and ACL Checking
If an ACL manager receives an access request from an unauthenticated principal, it
checks the ACL entries and applies the mask_obj mask, if available, as described
previously. It then filters the resulting permissions through the mask for unauthenticated
principals (entry type of unauthenticated). Only those permissions specified in the
unauthenticated mask, in the ACL entry, and in the mask_obj mask (if it exists) are
granted.
28.2.7.3 The Effect of the Checking Order on Granting Permissions
You can think of the order in which the ACL entries are checked as going from most
specific to least specific. For example, assume an ACL contains the following entries:
{user mahler r}
{group composers rwx}
If the principal named mahler, who is a member of the group composers, requests
execute (x) access, it is denied. This happens because the order of checking specifies
that all user entries (user_obj, user, and foreign_user) are checked before all group
(group_obj, group, and foreign_group) entries. Therefore, the first match found by the
ACL manager is the match between user mahler and the ACL entry for user mahler.
Once a matching user entry is found, checking stops and the found permissions are
applied. In this case, checking stops before the group entry, the entry with the more
liberal permissions.
28.2.8 Denying Access
When you create an ACL entry for a principal or group, you grant only the permissions
you specify in the ACL entry. To deny a principal all access to an object, create an ACL
entry that contains a dash in place of the permissions. For example, to deny all access to
user mozart, the entry would be
{user mozart -}
If you choose to deny access to a specific principal or group, select the most specific
entry type available. Generally for principals this is an entry type of user or
foreign_user; for groups, it is an entry type of group or foreign_group. Note that, if
124243 Tandem Computers Incorporated 28 15