PROTECTION/ACLS -- Details about Access Control Lists (ACLs) 83/08/03
ACCESS CONTROL LIST
Every object in the system (whether directory or file) has an access control
list (ACL) that defines WHO may access that object, and in WHAT ways. The
ACL is made up of a series of entries that consist of two elements: a subject
identifier and a set of rights. Each entry gives one subject the right to
perform some operations (read, write, delete, etc) on the object that the ACL
protects. The entries are automatically arranged in increasing order of
specificity. That is, the ACLs for individuals appear before the ACLs for
all users.
SUBJECT IDENTIFIERS
The subject identifier (SID) identifies those users to whom the specified set
of rights apply. The SID is in the ppon format, i.e.:
Person.Project.Organization.Node
Barb.none.r_d.
PERSON, PROJECT, and ORGANIZATION specify names that are in the associated
network registry files. The NODE identifier is a hexadecimal node id number.
You may use the wildcard, % in any one of the "ppon" fields.
ACCESS RIGHTS
You may assign the following access rights to the types of objects indicated:
Any objects:
p protect rights; allow rights to be changed
g grant rights; allow creation of new entries with a subset of
creator's rights
n change node list rights; allows CD, CN commands
Files:
d delete rights; allows file to be deleted
w write rights; allows file to be written
r read rights; allows file to be read
x execute rights
Directories:
d delete rights; allows directory to be deleted
c change rights; allows names to be changed, and links
to be deleted
a append rights; allows files and subdirectories to be
added to directory
l link rights; allows links to be added to directory
r read rights; allows directory to be listed
SPECIFYING ACCESS RIGHTS
You may specify access rights individually or in groups. Table 1, below,
defines individual access rights. Table 2 defines the abbreviations you may
use to specify commonly assigned rights in groups.
Table 1.
Access Rights for Files and Directories
______________________________________________________________________________
| | | | |
| Access Right | Abbreviation | Meaning for | Meaning for |
| | | Directories | Files |
|==============|==============|===================|============================|
| | | |
| Protect | P | Change the object's ACL. |
|______________|______________|________________________________________________|
| | | |
| Grant | G | Grant any subset of your rights |
| | | to other users |
|______________|______________|________________________________________________|
| | | |
| Node | N | Change the nodes from which |
| | | users may access the object |
|______________|______________|________________________________________________|
| | | | |
| Delete | D | Delete | Delete the file |
| | | the directory | |
|______________|______________|___________________|____________________________|
| | | | |
| Read | R | List entries | Read file contents |
|______________|______________|___________________|____________________________|
| | | | |
| Write | W | | Write to the file |
|______________|______________|___________________|____________________________|
| | | | |
| Execute | X | | Execute object file |
|______________|______________|___________________|____________________________|
| | | | |
| Change | C | Change names and | |
| | | delete links | |
|______________|______________|___________________|____________________________|
| | | | |
| Links | L | Add links | |
|______________|______________|___________________|____________________________|
| | | | |
| Add | A | Add files and | |
| | | subdirectories | |
|______________|______________|___________________|____________________________|
NOTE: To delete a tree you need directory delete rights, directory change
rights (if the directory contains links) and file delete rights
(if the directory contains files).
Table 2.
Abbreviations for Commonly Assigned Rights
____________________________________________________________________
| | | | |
| Term | Meaning | Directories | Files |
|==============|=======================|===============|=============|
| | | | |
| -OWNER | All rights | PGNDCALR | PGNDWRX |
|______________|_______________________|_______________|_____________|
| | | | |
| -USER | All rights except | DCALR | DWRX |
| | ability to change ACL | | |
|______________|_______________________|_______________|_____________|
| | | | |
| -READ | File read access | not allowed | R |
|______________|_______________________|_______________|_____________|
| | | | |
| -EXEC | File read access | not allowed | RX |
| | Execute access to | | |
| | object files | | |
|______________|_______________________|_______________|_____________|
| | | | |
| -LDIR | List directories | R | not allowed |
|______________|_______________________|_______________|_____________|
| | | | |
| -ADIR | List directories and | ALR | not allowed |
| | add entries | | |
|______________|_______________________|_______________|_____________|
| | | | |
| -NONE | Grants no rights. | none | none |
| | (Use to deny access.) | | |
|______________|_______________________|_______________|_____________|
Note:
EDACL will not allow an operation that would restrict everyone from changing
an ACL. At least one user must have the right to change the ACL (P).
You need N (change node) rights to change an object's node list, or to grant
other users N rights.
The -CDN and -CN commands require N (change node) rights. When a user
without N rights adds an entry to an ACL, that entry will always receive
the default node ID (%), even if the user specifies a different node ID.
By convention, users with the project name BACKUP may create backup copies of
files and directories on magnetic tape. Users with the project name BACKUP
need read (R) access to files and directories. EDACL issues a warning
when you change an ACL in a way that denies BACKUP access. However, EDACL
does execute the command. Ignore the warning only if the objects(s) do not
require backup copies. If the object(s) do require backup copies, edit the
ACL again and grant project BACKUP read access.
Objects that are part of protected subsystems indicate this when their ACLS
are displayed.
ACLS AND DIRECTORIES
In addition to its own ACL, each directory contains two additional ACLs
(called "initial ACLs"): one for new files and another for new subdirectories
created within that directory. When you create a new file or directory, or
copy one to a new location in the file hierarchy, the system assigns an ACL
to it by copying the appropriate initial ACL stored in the parent directory.
When the newly created object is a directory, the two initial ACLs from the
parent are replicated in the new subdirectory, unless you specifically
indicate otherwise (see the CPT (COPY_TREE) command). The various options
on the EDACL and ACL commands determine which of these several access control
lists you are editing, copying or displaying.
RELATED TOPICS
More information is available. Type:
- HELP PROTECTION SIDS
for more information on SIDs.
- HELP PROTECTION RIGHTS
for more information on access rights.
- HELP ACLS
for more information on the commands that manipulate ACLs.
- HELP PROTECTED_SUBSYSTEMS
for more information on the commands that maintain protected subsystems.
- HELP PROTECTION PROTECTED_SUBSYSTEMS
for a detailed description of protected subsystems.