PROTECTION/ACLS -- Details about Access Control Lists (ACLs) 85/03/19
ACCESS CONTROL LIST
Every object in the system (whether directory or file) has an access control
list (ACL) that defines WHO may access that object, and in WHAT ways. The ACL
is made up of a series of entries that consist of two elements: a subject
identifier and a set of rights. Each entry gives one subject the right to
perform some operations (read, write, delete, etc) on the object that the ACL
protects. The entries are automatically arranged in increasing order of
specificity. That is, the ACLs for individuals appear before the ACLs for all
users.
SUBJECT IDENTIFIERS
The subject identifier (SID) identifies those users to whom the specified set
of rights apply. The SID is in the ppon format, i.e.:
Person.Project.Organization.Node
Barb.none.r_d.
PERSON, PROJECT, and ORGANIZATION specify names that are in the associated
network registry files. The NODE identifier is a hexadecimal node id number.
You may use the wildcard, % in any one of the "ppon" fields.
By convention, users with the project name BACKUP may create backup copies of
files and directories on magnetic tape. Users with the project name BACKUP
need read (R) access to files and directories. EDACL issues a warning when
you change an ACL in a way that denies BACKUP access. However, EDACL does
execute the command. Ignore the warning only if the object(s) does not
require backup copies. If the object(s) does require backup copies, edit the
ACL again and grant project BACKUP read access.
ACCESS RIGHTS
You may assign the following access rights to the types of objects indicated:
Any objects:
p protect rights; allow rights to be changed
g grant rights; allow creation of new entries with a subset of
creator's rights
n change node list rights; allows CD, CN commands
Files:
d delete rights; allows file to be deleted
w write rights; allows file to be written
r read rights; allows file to be read
x execute rights
Directories:
d delete rights; allows directory to be deleted
c change rights; allows names to be changed, and links
to be deleted
a append rights; allows files and subdirectories to be
added to directory
l link rights; allows links to be added to directory
r read rights; allows directory to be listed
s search rights; allows directory to be searched for
subordinate objects (for DOMAIN/IX)
e expunge rights; allows subordinate objects to be
deleted provided delete rights are also available
for the subordinate object (for DOMAIN/IX)
SPECIFYING ACCESS RIGHTS
You may specify access rights individually or in groups. Table 1, below,
defines individual access rights. Table 2 defines the abbreviations you may
use to specify commonly assigned rights in groups.
Table 1.
Access Rights for Files and Directories
___________________________________________________________________________
| | | | |
| Access Right | Abbreviation | Meaning for | Meaning for |
| | | Directories | Files |
|==============|==============|===================|=========================|
| | | |
| Protect | P | Change the object's ACL. |
|______________|______________|_____________________________________________|
| | | |
| Grant | G | Grant any subset of your rights |
| | | to other users |
|______________|______________|_____________________________________________|
| | | |
| Node | N | Change the nodes from which |
| | | users may access the object |
|______________|______________|_____________________________________________|
| | | | |
| Delete | D | Delete | Delete the file |
| | | the directory | |
|______________|______________|___________________|_________________________|
| | | | |
| Read | R | List entries | Read file contents |
|______________|______________|___________________|_________________________|
| | | | |
| Write | W | | Write to the file |
|______________|______________|___________________|_________________________|
| | | | |
| Execute | X | | Execute object file |
|______________|______________|___________________|_________________________|
| | | | |
| Change | C | Change names and | |
| | | delete links | |
|______________|______________|___________________|_________________________|
| | | | |
| Links | L | Add links | |
|______________|______________|___________________|_________________________|
| | | | |
| Add | A | Add files and | |
| | | subdirectories | |
|______________|______________|___________________|_________________________|
| | | | |
| Search | S | Allow directory | |
| (DOMAIN/IX) | | to be searched | |
| | | for subordinate | |
| | | objects | |
|______________|______________|___________________|_________________________|
| | | | |
| Expunge | E | Allow subordinate| |
| (DOMAIN/IX) | | object(s) to be | |
| | | deleted (assumes | |
| | | 'D' rights on | |
| | | the objects) | |
|______________|______________|___________________|_________________________|
NOTE: To delete a tree you need directory delete rights, directory change
rights (if the directory contains links) and file delete rights
(if the directory contains files).
Table 2.
Abbreviations for Commonly Assigned Rights
____________________________________________________________________
| | | | |
| Term | Meaning | Directories | Files |
|==============|=======================|===============|=============|
| | | | |
| -OWNER | All rights | PGNDCALRSE | PGNDWRX |
|______________|_______________________|_______________|_____________|
| | | | |
| -USER | All rights except | DCALRSE | DWRX |
| | ability to change ACL | | |
|______________|_______________________|_______________|_____________|
| | | | |
| -READ | File read access | not allowed | R |
|______________|_______________________|_______________|_____________|
| | | | |
| -EXEC | File read access | not allowed | RX |
| | Execute access to | | |
| | object files | | |
|______________|_______________________|_______________|_____________|
| | | | |
| -LDIR | List directories | RSE | not allowed |
|______________|_______________________|_______________|_____________|
| | | | |
| -ADIR | List directories and | ALRSE | not allowed |
| | add entries | | |
|______________|_______________________|_______________|_____________|
| | | | |
| -NONE | Grant no rights for | SE or None | None |
| | DOMAIN operation. | | |
| | DOMAIN/IX access is | | |
| | still allowed unless | | |
| | -UNIX was present on | | |
| | the command line, in | | |
| | which case all | | |
| | directory rights are | | |
| | revoked. | | |
|______________|_______________________|_______________|_____________|
NOTES
EDACL will not allow an operation that would restrict everyone from changing
an ACL. At least one user must have the right to change the ACL (P).
You need N (change node) rights to change an object's node list, or to grant
other users N rights.
The -CDN and -CN commands require N (change node) rights. When a user without
N rights adds an entry to an ACL, that entry will always receive the default
node ID (%), even if the user specifies a different node ID.
Objects that are part of protected subsystems indicate this when their ACLS
are displayed.
ACLS AND DIRECTORIES
In addition to its own ACL, each directory contains two additional ACLs
(called "initial ACLs"): one for new files and another for new subdirectories
created within that directory. When you create a new file or directory, or
copy one to a new location in the file hierarchy, the system assigns an ACL to
it by copying the appropriate initial ACL stored in the parent directory.
When the newly created object is a directory, the two initial ACLs from the
parent are replicated in the new subdirectory, unless you specifically
indicate otherwise (see the CPT (COPY_TREE) command). The various options on
the EDACL and ACL commands determine which of these several access control
lists you are editing, copying or displaying.
RELATED TOPICS
More information is available. Type:
- HELP PROTECTION SIDS
for more information on SIDs.
- HELP PROTECTION RIGHTS
for more information on access rights.
- HELP ACLS
for more information on the commands that manipulate ACLs.
- HELP PROTECTED_SUBSYSTEMS
for more information on the commands that maintain protected subsystems.
- HELP PROTECTION PROTECTED_SUBSYSTEMS
for a detailed description of protected subsystems.