6.0;edacl (edit_access_control_list), revision 6.0, 86/08/12
EDACL (EDIT_ACCESS_CONTROL_LIST) -- Edit or list an ACL.
usage:
EDACL [ [-C ppon rts] [-CF ppon rts]
[-A ppon rts] [-AF ppon rts] [-AR ppon rts]
[-D ppon] [-DF ppon rts] [-DR ppon rts]
[-CDN node] [-CN ppon node]
[-SETPERS {ppon|0}] [-SETPROG {ppon|0}] [-SETORG {ppon|0}]
[-L] [-Q]
]
[-I|-P]
[-DIR|-FILE|-IF|-ID]
[-UNIX]
[-DYN[AMIC]]
pathname...
FORMAT
EDACL [commands] [options] pathname...
Every directory and file has an associated access control list (ACL) that
lists users and their rights to the object. EDACL edits or displays the ACL
of the object(s) specified. The structure and usage of an ACL is described
in detail in HELP PROTECTION ACLS.
ARGUMENTS
pathname
(required) Specify the object whose ACL you wish to edit or display.
Multiple pathnames and wildcarding are permitted.
commands
(optional) Specify the action(s) described below. If you do not
specify a command, EDACL enters an interactive editing
mode.
Default if omitted: read commands from standard input; do
not precede commands with a hyphen (-)
in this mode.
COMMANDS
Many of the commands described below take arguments called 'sid' and 'rights'.
These are summarized in the sections preceeding the EXAMPLES.
-L List ACL entries.
-A sid rights
Add the specified entry to an ACL. You will receive an
error message if the ACL entry exists.
-AF sid rights
Add force. Add the specified entry to an ACL. You will not
receive an error message if the ACL entry exists.
-AR sid rights
Add the specified rights to an ACL. You will receive an
error message if the entry does not exist.
-C sid rights
Change the access rights in the entry for 'sid' (replaces
current rights). You will receive an error message if the
entry does not exist.
-CF sid rights
Change force. Change the access rights in the entry for
'sid' (replaces current rights). You will not receive an
error message if the entry does not exist.
-D sid Delete the ACL entry for 'sid'. You will receive an error
message if the entry does not exist. If 'sid' is
'%.%.%.%', then EDACL will leave the entry with 'S' and 'E'
rights to maintain DOMIAN/IX compatibility.
-DF sid rights
Delete force. Delete the specified rights from the entry
for 'sid'. You will not receive an error message if the
ACL entry does not exist.
-DR sid rights
Delete the specified rights from the entry for 'sid'. You
will receive an error message if the entry does not exist.
-CDN node Change the default node ID.
-CN sid node Change the node ID entry in 'sid'.
-Q Quit without changing the object's ACL. This command is
useful only when you supply EDACL commands interactively
(see -I). To signal successful completion and update the
ACL, use EOF in standard input (usually <CTRL/Z>).
The following three commands are meaningful primarily for DOMAIN/IX
applications. If the pertinent index is enabled, the process executing the
file assumes the PERSON, PROJECT, and/or ORGANIZATION identity of the file.
(This is the DOMAIN/IX equivalent of AEGIS protected subsystems.) The indexes
may be set for both files and directories, but are meaningful only for files.
-SETPERS {sid|0}
Assign the SET PERSON index to 'sid'.
If you specify '0' (zero) instead of a sid, the SET PERSON
index is deleted.
-SETPROJ {sid|0}
Assign the SET PROJECT index to 'sid'.
If you specify '0' (zero) instead of a sid, the SET PROJECT
index is deleted.
-SETORG {sid|0}
Assign the SET ORGANIZATION index to 'sid'.
If you specify '0' (zero) instead of a sid, the SET
ORGANIZATION index is deleted.
OPTIONS
-DIR Only operate on directories.
-FILE Only operate on files.
-ID Edit the default initial ACL for directories (-DIR
implied).
-IF Edit the default initial ACL for files (-DIR implied).
-UNIX Enable editing of 'S' and 'E' rights for directories. This
is meaningful primarily for DOMAIN/IX applications.
Modification of these rights is disabled by default, unless
this option is specified.
-DYN[AMIC] Create a dynamic ACL for use with DOMAIN/IX applications.
Dynamic ACLs are computed and assigned "on the fly" by
DOMAIN/IX programs; thus, they change from user to user
rather than remaining static, like AEGIS ACLs. Use of this
option precludes the use of any of the editing functions
listed above in the "COMMANDS" section.
The following two options apply only when EDACL reads commands from standard
input:
-P EDACL interprets commands when it receives an EOF (usually
<CTRL/Z>). This is the default when you have redirected
standard input (i.e., instructed the program to read
commands from a Shell program, here document, file, or
pipe).
-I EDACL interprets commands as you enter them. This is the
default when you have not redirected standard input. You
may only specify one pathname (with no wildcards) in this
mode. EDACL changes a copy of the ACL; the command does
not assign a new ACL to an object until it reads an EOF.
Thus, EDACL -I does not change an ACL if you terminate the
session with the "Q" command.
This command uses the command line parser, and so also accepts the standard
command options listed in HELP CL.
SIDS
A complete description of SID syntax and usage is available in
$ HELP PROTECTION SIDS
RIGHTS
A complete description of the various protection rights is available in
$ HELP PROTECTION RIGHTS
EXAMPLES
1. The order of the commands in the following sequence is significant.
$ edacl -L sales List ACL for the file 'sales'. The
%.%.%.% pgndwrx ppon is all wildcards (%.%.%.%), so
all users have complete rights
$ (pgndwrx) to 'sales'.
$ edacl sales -cf dan.% -none Deny user DAN access to 'sales'.
$ edacl -L sales Other users still have all rights.
DAN.%.%.% ------- Note that the system automatically
%.%.%.% pgndwrx places specific entries before
$ general ones.
$ edacl sales -a joe -owner Add user JOE to the ACL for 'sales'
$ edacl -L sales with all rights.
joe.%.%.% pgndwrx
dan.%.%.% -------
%.%.%.% pgndwrx
$
$ edacl sales -a %.%.mktg wrx Allow users in the MKTG organization
$ edacl -L sales to change file contents, but do not
joe.%.%.% pgndwrx let them assign rights to others (p
dan.%.%.%. ------- and g), change the node ID entry (n),
%.%.mktg.% ----wrx or delete the file (d).
%.%.%.% pgndwrx
$
$ edacl sales -c % r Change everyone else's access to read
$ edacl -L sales only. Note that the more liberal
joe.%.%.% pgndwrx rights (wrx) assigned to the MKTG
dan.%.%.% ------- organization in the previous line
%.%.mktg.% ----wrx still apply, since specific entries
%.%.%.% ----r-- override general ones.
$
2. The following examples illustrate the effect of the -UNIX option.
$ edacl dir
dir
* l
%.%.%.% pgndcalrse
* a jim -none
jim.%.%.% --------se
* a ers -r
ers.%.%.% -------rse
* l
jim.%.%.% --------se
ers.%.%.% -------rse
%.%.%.% pgndcalrse
Now specify -UNIX ...
$ edacl dir -unix
dir
* l
%.%.%.% pgndcalrse
* a jim -none
jim.%.%.% ----------
* a ers -r
ers.%.%.% -------r--
* l
rees.%.%.% ----------
ers.%.%.% -------r--
%.%.%.% pgndcalrse
3. Set the initial file ACL for the directory //test/tmp/dir to be dynamic.
$ edacl //test/tmpdir -if -dyn
RELATED TOPICS
More information is available. Type:
- HELP PROTECTION ACLS
for a detailed description of ACLS.
- HELP ACLS
for a list of commands used to manipulate ACLS.
- HELP PROTECTION
for a general discussion of DOMAIN protection mechanisms.
- HELP PROTECTION SIDS
for details about subject identifiers (PPON's).
- HELP PROTECTION RIGHTS
for details about the various access rights and what they mean.