OSF DCE Administration Guide--Core Components
OSF DCE Administration Guide—Core Components
41.3 Registry ACL Manager
The registry ACL manager consists of five manager types, which are used to handle
different ACL semantics that are required by the five types of objects in the registry. For
example, the principal ACL manager type controls the ACLs on all principal objects in
the registry. Because group objects require a set of permissions that are different than
those of a principal object, there is a separate group ACL manager type that controls the
ACLs on group objects.
Not all permissions nor all ACL entry types are valid for each ACL manager. Table 41-2
summarizes the valid and invalid permissions and the invalid ACL entry types for each
ACL manager.
TABLE 41-2. ACL managers and Valid Permissions and ACL Entry Types
_________________________________________________________
Manager Valid Invalid ACL
Type Controls Permissions Entry Types
_________________________________________________________
_________________________________________________________
directory objects user_obj,
group_obj
dir rcidDn
_________________________________________________________
the policy object user_obj,
group_obj
policy rcma
_________________________________________________________
principal objectsprincipal rcDnfmaug group_obj
_________________________________________________________
group objectsgroup rctDnfmM user_obj
_________________________________________________________
org objects user_obj,
group_obj
org rctDnfmM
_________________________________________________________
replica lists user_obj,
group_obj
replist cidmIA
_________________________________________________________
ERA types user_obj,
group_obj
xattrschema rcidm
_________________________________________________________
41.4 Initial Registry ACLs
When the registry database is created, the principal, group, and org directories and the
policy, replist, and xattrschema objects are given initial ACLs. As new objects are
created in the registry, they inherit their ACLs from the principal, group, and org
directory ACLs. The ACL entry key for those initial ACL entries that require a key is
the name of the principal that creates the registry database (supplied to the
sec_create_db command as the registry creator), or root if no name is supplied. (See
Chapter 38 for more information on sec_create_db and the registry creator.)
The initial ACLs that are created when the registry database is created are described in
the following list. In the list, rgy_creator signifies the principal that is named as the
41 − 18 Tandem Computers Incorporated 124243