OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

551

552

553

554

555

556

557

558

559

560

OSF DCE Application Development Guide—Core Components

24.1.4 ACL Entries

DCE authorization deﬁnes two basic kinds of ACL entries:

• Those that associate a speciﬁed privilege attribute with a permission set; these are

privilege attribute entries.

• Those that specify a permission set that masks a permission set speciﬁed in a

privilege attribute entry; these are mask entries.

The following subsections describe the two kinds of ACL entries in detail.

24.1.4.1 Privilege Attribute Entry Types

The privilege attributes of a principal are based on identity and include the principal’s

name, its group membership(s), and native cell. Note that not all ACL manager types

implement all privilege attribute entry types. For example, the ACL manager type of a

database object probably would not support the user_obj and group_obj entry types.

Note: The term local cell means the cell speciﬁed in the ACL header; this is not

necessarily the cell in which the protected object resides.

The descriptions of the ACL entry types that specify privilege attributes are as follows:

• user_obj

The user_obj entry establishes the permissions for the object’s ‘‘user’’ (in the

established UNIX sense). An ACL may contain only one entry of this type. The

identity of the principal to which this ACL entry refers is assumed to be local and is

speciﬁed somewhere other than in this entry. In the case of a ﬁle, for example, the

identity is attached to the ﬁle’s inode.

• user

The user entry establishes the permissions for the local principal named in this entry.

An ACL may contain a number of entries of this type, but each entry must be unique

with respect to the principal it speciﬁes.

• foreign_user

The foreign_user entry establishes the permissions for the foreign principal named

in this entry. An ACL may contain a number of entries of this type, but each entry

must be unique with respect to the foreign principal it speciﬁes. This entry type is

exactly like the user entry type, except that this entry explicitly names a cell. (For

the entry type user, the principal inherits the cell speciﬁed by the default cell

identiﬁer in the ACL header.)

• group_obj

The group_obj entry establishes the permissions for the object’s ‘‘group’’ (in the

established UNIX sense). An ACL may contain only one entry of this type. As is

the case with the user_obj entry, the identity of the group is assumed to be local and

is speciﬁed elsewhere than in the group_obj entry itself.

24−4 Tandem Computers Incorporated 124245