OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

561

562

563

564

565

566

567

568

569

570

OSF DCE Application Development Guide—Core Components

2. The matching entry among the user entries speciﬁes the permissions abcdefg.

Applying mask_obj (bcde) yields the permission set bcde. Applying the

unauthenticated mask (ab) to the permission set bcde yields the effective

permission set b.

Since the principal ugob requests a permission (b) that is a member of the effective

permissions set, this principal’s request is granted.

A case that illustrates how access is determined for otherwise undifferentiated members

of a speciﬁed foreign cell is that of the principal /.../cellb/lolad, who requests permission

e. Assume that the privilege attributes of this principal are certiﬁed:

1. The principal is foreign, so the user_obj check cannot be a match.

2. There are no foreign_user entries.

3. There are no foreign_group entries.

4. The principal lolad is a member of cellb, meaning that the privilege attributes

match those in the foreign_other entry for cellb. The permissions speciﬁed by the

foreign_other entry for cellb (abc) as masked by mask_obj (bcde) yields the

effective permission set bc.

The permission requested (e) is not a member of the effective permission set (bc), so the

request is denied.

24.1.6.3 Example 3

Following is the ACL for an object to which one principal, silviob seeks access.

unauthenticated:a

user:jeand:abcde

user:denisf:-

group:projectx:abcd

foreign_other:/.../cella:-

foreign_other:/.../cellc:abc

any_other:ab

Note: The user entry for denisf and the foreign_other entry for cella both

specify an empty permission set with the notation - (dash), meaning that

identities corresponding to these entries are explicitly denied all

permissions. Also, the numbered lists in the discussions that follow

correspond to stages 1, 2, 3, 4, 5 and 6 of the access-check algorithm

referred to in Section 24.1.5.

The principal silviob requests permission a. Assume that this principal’s privileges

include membership in the group projecty and that they are not certiﬁed:

1. There is no user_obj entry, so this check can yield no permissions.

2. There is no user entry for this principal, so this check yields no permissions.

24−10 Tandem Computers Incorporated 124245