acl(1m) Open Software Foundation acl(1m)
NAME [Toc] [Back]
acl - A dcecp object that manages DCE access control lists
SYNOPSIS [Toc] [Back]
acl check acl_name_list [-entry] [-type manager_type_name]
acl delete acl_name_list [-ic | -io | -entry] [-type manager_type_name]
[-local]
acl help [operation | -verbose]
acl modify acl_name_list [-ic | -io | -entry] [-type manager_type_name]
[-cell new_cell_name]
{-add acl_entry_list_with_permissions [-mask {calc | nocalc}] |
-change acl_entry_list_with_permissions [-mask {calc | nocalc}] |
-remove acl_entry_list_without_permissions [-uuid] |
-purge}
[-local]
acl operations
acl permissions acl_name_list [-ic | -io | -entry] [-type
manager_type_name]
[-local]
acl replace acl_name_list [-ic | -io | -entry] [-type
manager_type_name]
-acl acl_entry_list [-cell new_default_cellname]
[-local]
acl show acl_name_list [-ic | -io | -entry] [-type manager_type_name]
[-cell | -managers] [-local]
ARGUMENTS [Toc] [Back]
acl_name_list
A list of one or more objects whose ACLs are to be acted on.
You can identify objects by using the object's fully
qualified names, for example, /.:/hosts/gumby.
You can also use a list of string bindings with residual
names appended. The residual name indicates whether the
object is a principal, group, or organization by supplying
its principal, group, or organization name. There are four
possible formats you can use to specify a string binding.
In string syntax, you can use
{uuid@prot_seq:net_addr residual_name}
Hewlett-Packard Company - 1 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
Another allowable string syntax is
{uuid@prot_seq:net_addr[endpoint] residual_name}
In Tcl syntax, you can use
{uuid prot_seq net_addr residual_name}
Another allowable Tcl syntax is
{uuid prot_seq net_addr endpoint residual_name}
operation The name of the acl operation for which to display help
information.
DESCRIPTION [Toc] [Back]
The acl object represents an access control list (ACL), which may
exist on any object such as a server, name service entry, container
(directory), or file.
ACLs consist of ACL entries. ACL entries are visible only as members
of ACLs. There is no object that represents ACL entries, only the acl
object representing an entire ACL. Most of the acl operations deal
directly with the ACL. See DATA STRUCTURES for a description of the
syntax of ACLs and ACL entries. An ACL has one attribute, called
cell, that represents the default cell of the ACL.
In most cases, the name of an object also specifies the name of the
associated ACL to manipulate. However, some objects have more than
one ACL, and some names can refer to more than one object. These
ambiguities are resolved by using various options on the command line.
An object can have more than one ACL. For example, container
objects-such as Cell Directory Service (CDS) directories and
directories in the registry-have three ACLs: one ACL controls access
to the container object itself, a second ACL specifies the default ACL
on new objects added to the container (the Initial Object ACL), and a
third ACL specifies the default ACL on new containers added to the
container (the Initial Container ACL). By default, the acl commands
operate on the ACL of the container object. Use the -ic option to
operate on the Initial Container ACL. Use the -io option to operate
on the Initial Object ACL. Simple objects (those that are not
container objects) do not have Initial Container or Initial Object
ACLs.
Some servers that have ACLs also store their network location
information in a server entry in CDS. The server entry has the same
name as the server itself and may also have an attached ACL. Use the
-entry option to operate on the server entry ACL in CDS rather than
Hewlett-Packard Company - 2 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
the server's ACL.
All dced objects have ACLs. When the dced on the local machine is in
partial service mode, you must use the -local option to access dced
object ACLs. To access dced object ACLs, specify only the residual
portion of the object name to the acl command. For example, use
hostdata, not /.:/hosts/gumby/config/hostdata.
Some DCE objects have more than one purpose. For instance, a registry
object can represent a principal and it can also act as a directory (a
container). An example is a principal name that identifies another
cell (for instance, /.../comp.com) with which you want to establish
authenticated operation. In this case, the cell maintains a principal
name /.:/comp.com. The registry object for this principal name is as
follows:
/.:/sec/principal/comp.com
Assume the cell also has a hierarchical (subordinate) cell named
/.../comp.com/test_cell. The cell maintains another principal name
/.:/comp.com/test_cell. The registry object for this principal name
is as follows:
/.:/sec/principal/comp.com/test_cell
Consequently, the registry object /.:/sec/principal/comp.com also acts
as a directory because it contains the hierarchical cell name
/.:/sec/principal/comp.com/test_cell. The ACL Manager that operates
on registry objects differs from the ACL Manager that operates on
registry directories. For instance, the latter ACL Manager has an i
(insert) permission bit that controls who can add new objects to the
directory. Consequently, most acl commands provide a -type option
that lets you specify the appropriate ACL Manager when operating on
registry objects that are also directories. You can list the ACL
Managers available for registry objects by using the acl show
-managers command.
DATA STRUCTURES [Toc] [Back]
ACL Entry Syntax
An ACL entry has the following syntax:
type[:key]:permissions
where:
type Identifies the role of the ACL entry.
Hewlett-Packard Company - 3 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
key Identifies the specific principal or group to whom the entry
applies. For an entry type of extended, key contains the
ACL data.
permissions
The ACL permissions.
The syntax of an ACL entry is a list of two or three elements. The
first element is the type, the optional second element is the key, and
the last element is the set of permission bits. The permission bits
are represented by a single character if the permission is granted and
by a - (dash) if it is not. An ACL is a list of ACL entries. An
example of an ACL is as follows:
{unauthenticated -r-----}
{user_obj crwx---}
{user britten crwx---}
{user mahler -rwx---}
{foreign_user /.../C=US/O=OSF/OU=dce/pro/bach crwxidt}
{group_obj -rwx---}
{group dds -rwx---}
{any_other -r-----}
{extended c417faf8-8340-11c9-ace3-08001e5559bb.a.b.c.a1.4.0a0b0c0d -rwx---}
On output the above syntax is used, with one addition. If masking
produces ineffective bits in an ACL entry, the entry has two
additional elements. The first is the identifier effective, and the
second is the set of effective permissions. These elements are added
only for those ACL entries that have ineffective bits, as seen in the
following example:
{mask_obj -r-----}
{user_obj crwx---}
{user britten crwx--- effective -r-----}
On input, do not include the identifier effective or the effective
permissions. You can enter permissions in any order, omitting the -
(dash) for permissions not granted. For example, the above ACL could
be entered as:
{mask_obj r}
{user_obj crwx}
{user britten wcrx}
Defined ACL Entry Types [Toc] [Back]
user_obj Permissions for the object's real or effective owner.
Hewlett-Packard Company - 4 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
group_obj Permissions for the object's real or effective owning group.
other_obj Permissions for others authenticated in the local cell who
are not otherwise named by a more specific entry type.
user Permissions for a specific authenticated principal user in
the ACL's cell. This type of ACL entry must include a key
that identifies the specific principal.
group Permissions for a specific group in the ACL's cell. This
type of ACL entry must include a key that identifies the
specific group.
foreign_user
Permissions for a specific, authenticated user in a foreign
cell. This type of ACL entry must include a key that
identifies the specific principal and the principal's cell.
foreign_group
Permissions for a specific group in a foreign cell. This
type of ACL entry must include a key that identifies the
specific group and the group's cell.
foreign_other
Permissions for all authenticated principals in a specific
foreign cell, unless those principals are specifically named
in an ACL entry of type foreign_user or are members in a
group named in an entry of type foreign_group. This type of
ACL entry must include a key that identifies the specific
foreign cell.
any_other Permissions for all authenticated principals unless those
principals match a more specific entry in the ACL.
mask_obj Permissions for the object mask that is applied to all entry
types except user_obj, other_obj, and unauthenticated.
unauthenticated
Maximum permissions applied when the accessor does not pass
authentication procedures. This entry is used for
principals that have failed authentication due to bad keys,
principals who are entirely outside of any authentication
cell, and principals who choose not to use authenticated
access. Permissions granted to an unauthenticated principal
are masked with this entry, if it exists. If this entry
does not exist, access to unauthenticated principals is
always denied.
extended A special entry that allows client applications running at
earlier DCE versions to copy ACLs to and from ACL Managers
running at the current DCE version without losing any data.
Hewlett-Packard Company - 5 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
The extended entry allows the application running at the
lower version to obtain a printable form of the ACL. The
extended ACL entry has the following form:
extended:uuid.ndr.ndr.ndr.ndr.number_of_byte.data
where:
uuid Identifies the type extended ACL entry. (This UUID
can identify one of the ACL entry types described
here or an as-yet-undefined ACL entry type.)
ndr Up to four network data representation (NDR)
format labels (in hexadecimal format and separated
by periods) that identify the encoding of data.
number_of_bytes
A decimal number that specifies the total number
of bytes in data.
data The ACL data in hexadecimal form. (Each byte of
ACL data is two hexadecimal digits.) The ACL data
includes all of the ACL entry specifications
except the permissions (described later) that are
entered separately. The data is not interpreted;
it is assumed that the ACL Manager to which the
data is being passed can understand that data.
user_obj_delegate
Delegated permissions for the object's real or effective
owner.
group_obj_delegate
Delegated permissions for the object's real or effective
group.
other_obj_delegate
Delegated permissions for others in the local cell who are
not otherwise named by a more specific entry type.
user_delegate
Delegated permissions for a specific principal user in the
ACL's cell. This type of ACL entry must include a key that
identifies the specific principal.
group_delegate
Delegated permissions for a specific group in the ACL's
cell. This type of ACL entry must include a key that
identifies the specific group.
Hewlett-Packard Company - 6 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
foreign_user_delegate
Delegated permissions for a specific, authenticated user in
a foreign cell. This type of ACL entry must include a key
that identifies the specific principal and the principal's
cell.
foreign_group_delegate
Delegated permissions for a specific, authenticated group in
a foreign cell. This type of ACL entry must include a key
that identifies the specific group and the group's cell.
foreign_other_delegate
Delegated permissions for all authenticated principals in a
specific foreign cell, unless those principals are
specifically named in an ACL entry of type foreign_user or
foreign_user_delegate or are members in a group named in an
entry of type foreign_group or foreign_group_delegate. This
type of ACL entry must include a key that identifies the
specific foreign cell.
any_other_delegate
Delegated permissions for all authenticated principals
unless those principals match a more specific entry in the
ACL.
Key [Toc] [Back]
The key identifier (principal, group name, or cell) specifies the
principal or group to which the ACL entry applies. For entries of
entry type extended, key is the data passed from one ACL Manager to
another. In some cases, such as when a registry object no longer
exists but an ACL entry still contains a reference to that object, key
can be represented by a UUID. A key is required for the following
types of ACL entries:
user Requires a principal name only.
group Requires a group name only.
foreign_user
Requires a fully qualified cell name in addition to the
principal name.
foreign_group
Requires a fully qualified cell name in addition to the
group name.
foreign_other
Requires a fully qualified cell name.
Hewlett-Packard Company - 7 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
foreign_user_delegate
Requires a fully qualified cell name, the principal name,
and a key that identifies the principal and the principal's
cell.
foreign_group_delegate
Requires a fully qualified cell name, the group name, and a
key that identifies the group and the group's cell.
Permissions [Toc] [Back]
The permissions argument specifies the set of permissions that defines
the access rights conferred by the entry. Since each ACL Manager
defines the permission tokens and meanings appropriate for the objects
it controls, the actual tokens and their meanings vary. For example
the Distributed File Service (DFS), the Directory Service, and the
Security Service each implement a separate ACL Manager, and each can
use a different set of tokens and permissions. Use the permissions
operation to display the currently available tokens and their
meanings. See the documentation for the DCE component you are using
to obtain a more detailed description of its specific permissions.
ATTRIBUTES [Toc] [Back]
cell default_cellname
Represents the default cell of the ACL. Manipulation of
this attribute is possible only through the modify and show
operations.
See the OSF DCE Administration Guide for more information about ACL
attributes.
OPERATIONS [Toc] [Back]
acl check
Returns the permissions granted by the ACL to the principal entering
the command. The syntax is as follows:
acl check acl_name_list [-entry] [-type manager_type_name]
Options [Toc] [Back]
-entry Specifies that the command is to operate on the ACL of the
namespace entry of the named object.
-type manager_type_name
Specifies that the command uses a particular ACL Manager.
This option is needed only for objects that have more than
one purpose, such as for principal names that also act as
directories.
Hewlett-Packard Company - 8 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
The check operation returns the permissions granted in the specified
object's ACL to the principal that invoked the command. The argument
is a list of names of object's whose ACLs are to be operated on. If
you specify no options, the permissions from the ACL for the object
named by the operation are returned.
Privileges Required [Toc] [Back]
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you
are using to obtain a more detailed description of its specific
permissions.
Examples [Toc] [Back]
dcecp> acl check {006f859c-ed3d-1d57-a383-0000c0239a70@ncacn_ip_tcp:130.105.5.45 \
> principal/aaa}
rwdtcia
dcecp>
dcecp> acl check /.:/hosts
rwdtcia
dcecp>
acl delete
Deletes all ACL entries from the object, except the user_obj entry, if
it exists. The syntax is as follows:
acl delete acl_name_list [-ic | -io | -entry] [-type
manager_type_name]
[-local]
Options [Toc] [Back]
-ic Specifies that the command is to operate on the Initial
Container ACL of the named object.
-io Specifies that the command is to operate on the Initial
Object ACL of the named object.
-entry Specifies that the command is to operate on the ACL of the
namespace entry of the object.
-type manager_type_name
Specifies that the command uses a particular ACL Manager.
This option is needed only for objects that have more than
one purpose, such as for principal names that also act as
directories.
Hewlett-Packard Company - 9 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
-local Specifies that the command is to operate on the ACL of a
dced object while the dced on the local machine is in
partial service mode.
The delete operation removes all ACL entries from the object, except
the user_obj entry, if it exists. Note that if you use delete on an
object whose ACL does not contain a user_obj ACL entry (either because
the object's ACL Managers do not support user_obj entries or because
the ACL is empty), the command displays a "bad syntax" error.
The argument is a list of names of objects whose ACLs are to be
operated on. This operation returns an empty string on success.
Privileges Required [Toc] [Back]
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you
are using to obtain a more detailed description of its specific
permissions.
Examples [Toc] [Back]
dcecp> acl delete {/.:/hosts/oddball/gumby /.:/pokey}
dcecp>
acl help
Returns help information about the acl object and its operations. The
syntax is as follows:
acl help [operation | -verbose]
Options [Toc] [Back]
-verbose Displays information about the acl object.
Used without an argument or option, the acl help command returns brief
information about each acl operation. The optional operation argument
is the name of an operation about which you want detailed information.
Alternatively, you can use the -verbose option for more detailed
information about the acl object itself.
Privileges Required [Toc] [Back]
No special privileges are needed to use the acl help command.
Hewlett-Packard Company - 10 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
Examples [Toc] [Back]
dcecp> acl help
check Returns ACL permissions of invoker.
delete Deletes all ACL entries except 'user_obj' if it exists.
modify Adds, removes, or changes ACL entries and attributes.
permissions Returns permissions associated with an object.
replace Replaces entire ACL with new ACL entries and attributes.
show Returns ACL entries or attributes on an object.
help Prints a summary of command-line options.
operations Returns a list of the valid operations for this command.
dcecp>
acl modify
Changes attributes and entries of ACLs. The syntax is as follows:
acl modify acl_name_list [-ic | -io | -entry] [-type
manager_type_name]
[-cell new_cell_name]
{-add acl_entry_list_with_permissions [-mask {calc | nocalc}] |
-change acl_entry_list_with_permissions [-mask {calc | nocalc}] |
-remove acl_entry_list_without_permissions [-uuid] |
-purge}
[-local]
Options [Toc] [Back]
-cell new_cell_name
Changes the value of the cell attribute by specifying the
new default cell. It must be one value, not a list. The -
cell option is always applied before the other options.
Note that changing the default cell of an ACL that has user
or group ACL entries, or their delegate counterparts, can be
dangerous. The principal and groups mentioned in these ACL
entries must be in the default cell. If the default cell
changes, these ACL entries must change as well.
-add acl_entry_list_with_permissions
Adds the ACL entries to the ACL. The value of this option
is a list of ACL entries with permissions filled in. You
can use the -mask option to force or prevent mask
recalculation.
-change acl_entry_list_with_permissions
Changes existing ACL entries in the ACL. The value of this
option is a list of ACL entries with permissions filled in.
The permissions are the new permissions placed on the
specified ACL entries. The ACL entries must exist in the
Hewlett-Packard Company - 11 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
ACL or an error occurs. You can use the -mask option to
force or prevent mask recalculation.
-remove acl_entry_list_without_permissions
Removes existing ACL entries from the ACL. The value of
this option is a list of ACL entries with no permissions.
The ACL entries must exist in the ACL or an error occurs.
-purge Purges all masked permissions (before any other
modifications are made), in all ACL entries except user_obj,
other_obj, mask_obj, user_obj_delegate, other_obj_delegate,
and unauthenticated if they exist. This option is useful
only for ACLs that contain an entry of type mask_obj.
-uuid Indicates that the entries in the
acl_entry_list_without_permissions argument are UUIDs rather
than names.
-mask {calc | nocalc}
If a modify operation causes a mask recalculation that
unintentionally adds permissions to an existing ACL entry,
the modify operation ceases with an error unless you specify
the -mask option with a value of either calc or nocalc, or a
unique abbreviation of one of these values.
Specifying calc creates or modifies the object's mask_obj
type entry with permissions equal to the union of all
entries other than type user_obj, other_obj, mask_obj, and
unauthenticated. This creation or modification is done
after all other modifications to the ACL are performed. The
new mask is set even if it grants permissions previously
masked out. It is recommended that you use this option only
if not specifying it results in an error. If you specify
the calc option for an ACL Manager that does not support the
mask_obj entry type, an error is returned.
Specifying nocalc means that a new mask should not be
calculated.
The -mask option can be used only if the -add or -change
option is also used and only if the object's ACL Managers
support the mask_obj ACL type. In addition, you cannot use
the -mask option if you specify a mask_obj ACL entry in the
command (by using the -add or -change options).
-ic Specifies that the operation act on the Initial Container
ACL of the named object.
-io Specifies that the operation act on the Initial Object ACL
of the named object.
Hewlett-Packard Company - 12 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
-entry Specifies that the operation act on the ACL of the namespace
entry of the named object.
-local Specifies that the operation act on the ACL of a dced object
while the dced on the local machine is in partial service
mode.
-type manager_type_name
Specifies that the command uses a particular ACL Manager.
This option is needed only for objects that have more than
one purpose, such as for principal names that also act as
directories.
The modify operation changes one or more individual ACL entries. The
argument is a list of names of ACLs to be modified. They are
processed in the order they are entered. The specific operation to
perform is described by using options.
The -uuid option can be used to remove ACL entries associated with
orphaned UUIDs. An orphaned UUID refers to an object such as a
principal or group that has been deleted from the registry, but still
has an ACL entry on an object.
Multiple actions can be specified on the command line; they are
processed in a fixed order to guarantee proper processing of the ACLs.
See [POSIX.6] for a description of this processing order. Either all
the changes specified in the operation are made or none are. This
operation returns an empty string on success.
Privileges Required [Toc] [Back]
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you
are using to obtain a more detailed description of its specific
permissions.
Examples [Toc] [Back]
dcecp> acl modify /.:/hosts -add {user mahler rwcia}
dcecp>
dcecp> acl modify /.:/hosts -change {user mahler rwdtcia}
dcecp>
dcecp> acl modify /.:/hosts -add {group dce rwdtcia} -remove {user mahler}
dcecp>
dcecp> acl modify /.:/hosts -remove {user 0c8a15fc-761e-11d0-a176-08000985b5a6} -uuid
dcecp>
Hewlett-Packard Company - 13 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
acl operations
Returns a list of the operations supported by the acl object. The
syntax is as follows:
acl operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required [Toc] [Back]
No special privileges are needed to use the acl operations command.
Examples [Toc] [Back]
dcecp> acl operations
check delete modify permissions replace show help operations
dcecp>
acl permissions
Returns a list describing the permissions associated with an object.
The syntax is as follows:
acl permissions acl_name_list [-ic | -io | -entry] [-type
manager_type_name]
[-local]
Options [Toc] [Back]
-ic Specifies that the command is to operate on the Initial
Container ACL of the named object.
-io Specifies that the command is to operate on the Initial
Object ACL of the named object.
-entry Specifies that the command is to operate on the ACL of the
namespace entry of the named object.
-type manager_type_name
Specifies that the command uses a particular ACL Manager.
This option is needed only for objects that have more than
one purpose, such as for principal names that also act as
directories.
-local Specifies that the command is to operate on the ACL of a
dced object while the dced on the local machine is in
partial service mode.
Hewlett-Packard Company - 14 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
The permissions operation returns a list of the permissions associated
with an object. For each permission, the operation shows the
permission token and a description of the permission. The
manager_type_name argument is a list of names of ACL Manager types
whose permissions are to be returned. If more than one name is
entered, the output is concatenated and a blank line inserted between
each manager type.
Privileges Required [Toc] [Back]
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you
are using to obtain a more detailed description of its specific
permissions.
Examples [Toc] [Back]
dcecp> acl permissions /.:/hosts
r {read entry attributes}}
{w {update entry attributes}}
{d {delete entry}}
{t {test attribute values}}
{c {change ACL}}
{i {create new directory entries}}
{a {administer directory replication}}
dcecp>
acl replace
Replaces the entire ACL on the object specified by the argument with
the supplied value. The syntax is as follows:
acl replace acl_name_list [-ic | -io | -entry] [-type
manager_type_name]
-acl acl_entry_list [-cell new_default_cellname]
[-local]
Options [Toc] [Back]
-ic Specifies that the operation act on the Initial Container
ACL of the named object.
-io Specifies that the operation act on the Initial Object ACL
of the named object.
-entry Specifies that the operation act on the ACL of the namespace
entry of the named object.
Hewlett-Packard Company - 15 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
-type manager_type_name
Specifies that the command use a particular ACL Manager.
This option is needed only for objects that have more than
one purpose, such as for principal names that also act as
directories.
-acl acl_entry_list
Specifies ACL entries and their new values.
-cell new_default_cellname
Specifies a new default cell for all of the ACLs named in
acl_entry_list. The -cell option is always applied before
the other options.
-local Specifies that the operation act on the ACL of a dced object
while the dced on the local machine is in partial service
mode.
The replace operation replaces the entire ACL on the object specified
by the argument with the supplied value. The argument is a list of
names of ACLs to be operated on. The syntax of the value of the -acl
option is a list of ACL entries. The -cell option specifies the new
default cell of the ACL. Its value is the name of one cell only (it
is not a list). This operation returns an empty string on success.
Privileges Required [Toc] [Back]
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you
are using to obtain a more detailed description of its specific
permissions.
Examples [Toc] [Back]
dcecp> acl replace /.:/hosts -acl {group dce rwdtcia}
dcecp>
acl show
Returns a list of the ACL entries for the specified object. The syntax
is as follows:
acl show acl_name_list [-ic | -io | -entry] [-type manager_type_name]
[-cell | -managers] [-local]
Options [Toc] [Back]
Hewlett-Packard Company - 16 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
-ic Specifies that the command is to operate on the Initial
Container ACL of the named object.
-io Specifies that the command is to operate on the Initial
Object ACL of the named object.
-entry Specifies that the command is to operate on the ACL of the
namespace entry of the named object.
-type manager_type_name
Specifies that the command uses a particular ACL Manager.
This option is needed only for objects that have more than
one purpose, such as for principal names that also act as
directories.
-cell Returns the default cell name for the ACL.
-managers Returns a list of ACL Managers available for the named ACL.
-local Specifies that the command is to operate on the ACL of a
dced object while the dced on the local machine is in
partial service mode.
The show operation returns a list of the ACL entries for the specified
object. The argument is a list of names of objects whose ACLs are to
be operated on. If more than one name is given, the output is
concatenated and a blank line inserted between objects. If they
exist, the mask_obj and unauthenticated ACL entries are displayed
first.
Note that since UUIDs and not names are stored in ACLs, dcecp may not
be able to determine the name associated with an ACL entry. In this
case, the UUID is returned as the key instead of the name. dcecp may
be unable to determine the name associated with an ACL entry if the
default cell stored in the ACL is incorrect, or if the users and
groups specified in the user and group entries are not registered in
the default cell.
If a UUID replaces a name of a user and group, you can recover by
adopting the orphaned UUID. To do this, create a new user or group
using the UUID found in the ACL. The name of the new user or group is
then available.
Privileges Required [Toc] [Back]
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you
are using to obtain a more detailed description of its specific
permissions.
Hewlett-Packard Company - 17 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl(1m) Open Software Foundation acl(1m)
Examples [Toc] [Back]
dcecp> acl show /.:/hosts
{unauthenticated r--t---}
{user cell_admin rwdtcia}
{user hosts/absolut/cds-server rwdtcia}
{user hosts/absolut/self rwdtcia}
{user root rwdtcia}
{group subsys/dce/cds-admin rwdtcia}
{group subsys/dce/cds-server rwdtcia}
{any_other r--t---}
dcecp>
RELATED INFORMATION [Toc] [Back]
Commands: dcecp(1m), dcecp_account(1m), dcecp_group(1m),
dcecp_organization(1m), dcecp_principal(1m), dcecp_registry(1m),
dcecp_xattrschema(1m).
Hewlett-Packard Company - 18 -�OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96 [ Back ] |
