Manualshelf

OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
551552553554555556557558559560
Authorization
from having no mask_obj entry in the ACL. In the first case, the effective permission
set is empty; in the second case, the effective permission set is identical to the
permission set in the privilege attribute entry.
ACL entries for masks consist of two fields in the following form:
entry_type:permissions
Following are descriptions of the fields:
The entry_type field specifies one of the two masks entry types: mask_obj or
unauthenticated.
The permissions field specifies the permission set that masks the permission set in
any privilege attribute entry masked by the mask entry.
24.1.4.3 The Extended ACL Entry Type
The ACL entry type extended is a special entry type for ensuring the compatibility of
ACL data created by different software revisions. It enables old application clients to
copy ACLs from one newer revision object store to another without losing data. It also
enables obsolete clients to manipulate ACL data that they understand without corrupting
the extended entries that they do not understand.
24.1.5 Access Checking
Standard DCE ACL manager types use a common access-check algorithm to determine
the permissions they grant to a principal. Access checking is executed in up to six
stages, in the following order:
1. The user_obj entry check
2. The check for a matching user or foreign_user entry
3. The group_obj entry check and the check for matching group or foreign_group
entries
4. The other_obj entry check
5. The check for a matching foreign_other entry
6. The any_other check
If during any stage of access checking an ACL manager type finds a privilege attribute
entry that matches a privilege attribute possessed by a principal, then the manager type
does not execute any subsequent stages, even though the principal may possess other
privilege attributes for which there are other matching entries. See the Security Volume
of the Application Environment Specification/Distributed Computing for descriptions of
the algorithms used at each stage of access checking.
124245 Tandem Computers Incorporated 247