Manualshelf

OSF DCE Application Development Guide--Introduction and Style Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
919293949596979899100
OSF DCE Application Development Guide—Introduction and Style Guide
Finally, principals that do not meet any of the above criteria can be authorized as
any_other. The other_obj, any_other, and foreign_other types are distinguished by
cells: other_obj applies to the local cell, foreign_obj applies to specified foreign cells,
any_other applies to any cell.
The user_obj and group_obj types have less straightforward semantics. They refer to a
special principal and group that must be known to the ACL manager ‘‘out of band’’: that
is, they cannot be determined from the ACL entry itself. The semantics of the mask_obj,
which is applied to everything except the user_obj and other_obj entries, are also
complicated. The mask_obj is implemented to permit POSIX ACLs to more or less
maintain UNIX semantics for 000 permissions.
In general, the use of user_obj and group_obj is deprecated: they unnecessarily create a
special user, thus complicating the otherwise straightforward semantics of ACLs.
Unless you are implementing a file system, you probably do not need these types. (The
other_obj type is unobjectionable since it has well defined semantics.) Similarly, the use
of mask_obj is deprecated because of its awkward semantics.
Thus it is recommended that you use only types from the following subset of entry types:
user
group
other_object
foreign_user
foreign_group
foreign_other
any_other
These types allow for the most specific to the most general principals, both for local,
specific foreign cells, and for unspecified foreign cells.
The DCE ACL library ignores user_obj and group_obj, because there is no generic way
to determine the user and group owners of an arbitrary ACL protected object: the
semantics of ownership are application-specific. However, since these types are not
recommended for general use anyway, their absence should not be a serious limitation
for most applications that use the DCE ACL library.
3.4.3 ACL Managers
DCE entities expect to be able to access other DCE entities’ objects’ ACLs through a
standard set of DCE routines, knowing nothing more than the names of the objects. The
names of the objects are in the form of CDS pathnames.
The DCE ACL library is an implementation of the remote ACL (rdacl) interface,
designed in such a way as to allow any DCE application to use it instead of having to
implement the interface itself. In DCE 1.0, applications that wished to use the DCE
ACL functionality had to implement the full remote interface themselves; in DCE 1.1
this is no longer true. Once an application has registered certain information with the
3 22 Tandem Computers Incorporated 124246