acl(1m) acl(1m)
NAME
acl - A dcecp object that manages DCE access control lists
SYNOPSIS
acl check acl_name_list [-entry] [-type manager_type_name]
acl delete acl_name_list [-ic | -io | -entry] [-type manager_type_name] [-local]
acl help [operation | -verbose]
acl modify acl_name_list [-ic | -io | -entry] [-type manager_type_name] [-cell new_cell_name] {-add acl_entry_list_with_permissions [-mask
{calc | nocalc}] | -change acl_entry_list_with_permissions [-mask {calc | nocalc}] | -remove acl_entry_list_without_permissions [-uuid] |
-purge} [-local]
acl operations
acl permissions acl_name_list [-ic | -io | -entry] [-type manager_type_name] [-local]
acl replace acl_name_list [-ic | -io | -entry] [-type manager_type_name] -acl acl_entry_list [-cell new_default_cellname] [-local]
acl show acl_name_list [-ic | -io | -entry] [-type manager_type_name] [-cell | -managers] [-local]
ARGUMENTS
A list of one or more objects whose ACLs are to be acted on. You can identify objects by using the object's fully qualified names, for
example, /.:/hosts/gumby.
You can also use a list of string bindings with residual names appended. The residual name indicates whether the object is a principal,
group, or organization by supplying its principal, group, or organization name. There are four possible formats you can use to specify a
string binding.
In string syntax, you can use
{uuid@prot_seq:net_addr residual_name} Another allowable string syntax is {uuid@prot_seq:net_addr[endpoint] residual_name} In Tcl syntax,
you can use {uuid prot_seq net_addr residual_name} Another allowable Tcl syntax is {uuid prot_seq net_addr endpoint residual_name} The name
of the acl operation for which to display help information.
DESCRIPTION
The acl object represents an access control list (ACL), which may exist on any object such as a server, name service entry, container
(directory), or file.
ACLs consist of ACL entries. ACL entries are visible only as members of ACLs. There is no object that represents ACL entries, only the
acl object representing an entire ACL. Most of the acl operations deal directly with the ACL. See DATA STRUCTURES for a description of
the syntax of ACLs and ACL entries. An ACL has one attribute, called cell, that represents the default cell of the ACL.
In most cases, the name of an object also specifies the name of the associated ACL to manipulate. However, some objects have more than one
ACL, and some names can refer to more than one object. These ambiguities are resolved by using various options on the command line.
An object can have more than one ACL. For example, container objects--such as Cell Directory Service (CDS) directories and directories in
the registry--have three ACLs: one ACL controls access to the container object itself, a second ACL specifies the default ACL on new
objects added to the container (the Initial Object ACL), and a third ACL specifies the default ACL on new containers added to the container
(the Initial Container ACL). By default, the acl commands operate on the ACL of the container object. Use the -ic option to operate on
the Initial Container ACL. Use the -io option to operate on the Initial Object ACL. Simple objects (those that are not container objects)
do not have Initial Container or Initial Object ACLs.
Some servers that have ACLs also store their network location information in a server entry in CDS. The server entry has the same name as
the server itself and may also have an attached ACL. Use the -entry option to operate on the server entry ACL in CDS rather than the
server's ACL.
All dced objects have ACLs. When the dced on the local machine is in partial service mode, you must use the -local option to access dced
object ACLs. To access dced object ACLs, specify only the residual portion of the object name to the acl command. For example, use host-
data, not /.:/hosts/gumby/config/hostdata.
Some DCE objects have more than one purpose. For instance, a registry object can represent a principal and it can also act as a directory
(a container). An example is a principal name that identifies another cell (for instance, /.../comp.com) with which you want to establish
authenticated operation. In this case, the cell maintains a principal name /.:/comp.com. The registry object for this principal name is
as follows: /.:/sec/principal/comp.com
Assume the cell also has a hierarchical (subordinate) cell named /.../comp.com/test_cell. The cell maintains another principal name
/.:/comp.com/test_cell. The registry object for this principal name is as follows: /.:/sec/principal/comp.com/test_cell
Consequently, the registry object /.:/sec/principal/comp.com also acts as a directory because it contains the hierarchical cell name
/.:/sec/principal/comp.com/test_cell. The ACL Manager that operates on registry objects differs from the ACL Manager that operates on reg-
istry directories. For instance, the latter ACL Manager has an i (insert) permission bit that controls who can add new objects to the
directory. Consequently, most acl commands provide a -type option that lets you specify the appropriate ACL Manager when operating on reg-
istry objects that are also directories. You can list the ACL Managers available for registry objects by using the acl show -managers com-
mand.
DATA STRUCTURES
ACL Entry Syntax
An ACL entry has the following syntax: type[:key]:permissions
where: Identifies the role of the ACL entry. Identifies the specific principal or group to whom the entry applies. For an entry type of
extended, key contains the ACL data. The ACL permissions.
The syntax of an ACL entry is a list of two or three elements. The first element is the type, the optional second element is the key, and
the last element is the set of permission bits. The permission bits are represented by a single character if the permission is granted and
by a - (dash) if it is not. An ACL is a list of ACL entries. An example of an ACL is as follows: {unauthenticated -r-----} {user_obj
crwx---} {user britten crwx---} {user mahler -rwx---} {foreign_user /.../C=US/O=OSF/OU=dce/pro/bach crwxidt} {group_obj -rwx---} {group dds
-rwx---} {any_other -r-----} {extended c417faf8-8340-11c9-ace3-08001e5559bb.a.b.c.a1.4.0a0b0c0d -rwx---}
On output the above syntax is used, with one addition. If masking produces ineffective bits in an ACL entry, the entry has two additional
elements. The first is the identifier effective, and the second is the set of effective permissions. These elements are added only for
those ACL entries that have ineffective bits, as seen in the following example: {mask_obj -r-----} {user_obj crwx---} {user britten crwx---
effective -r-----}
On input, do not include the identifier effective or the effective permissions. You can enter permissions in any order, omitting the -
(dash) for permissions not granted. For example, the above ACL could be entered as: {mask_obj r} {user_obj crwx} {user britten wcrx}
Defined ACL Entry Types
Permissions for the object's real or effective owner. Permissions for the object's real or effective owning group. Permissions for others
authenticated in the local cell who are not otherwise named by a more specific entry type. Permissions for a specific authenticated prin-
cipal user in the ACL's cell. This type of ACL entry must include a key that identifies the specific principal. Permissions for a spe-
cific group in the ACL's cell. This type of ACL entry must include a key that identifies the specific group. Permissions for a specific,
authenticated user in a foreign cell. This type of ACL entry must include a key that identifies the specific principal and the principal's
cell. Permissions for a specific group in a foreign cell. This type of ACL entry must include a key that identifies the specific group
and the group's cell. Permissions for all authenticated principals in a specific foreign cell, unless those principals are specifically
named in an ACL entry of type foreign_user or are members in a group named in an entry of type foreign_group. This type of ACL entry must
include a key that identifies the specific foreign cell. Permissions for all authenticated principals unless those principals match a more
specific entry in the ACL. Permissions for the object mask that is applied to all entry types except user_obj, other_obj, and unauthenti-
cated. Maximum permissions applied when the accessor does not pass authentication procedures. This entry is used for principals that have
failed authentication due to bad keys, principals who are entirely outside of any authentication cell, and principals who choose not to use
authenticated access. Permissions granted to an unauthenticated principal are masked with this entry, if it exists. If this entry does
not exist, access to unauthenticated principals is always denied. A special entry that allows client applications running at earlier DCE
versions to copy ACLs to and from ACL Managers running at the current DCE version without losing any data. The extended entry allows the
application running at the lower version to obtain a printable form of the ACL. The extended ACL entry has the following form:
extended:uuid.ndr.ndr.ndr.ndr.number_of_byte.data where: Identifies the type extended ACL entry. (This UUID can identify one of the ACL
entry types described here or an as-yet-undefined ACL entry type.) Up to four network data representation (NDR) format labels (in hexadec-
imal format and separated by periods) that identify the encoding of data. A decimal number that specifies the total number of bytes in
data. The ACL data in hexadecimal form. (Each byte of ACL data is two hexadecimal digits.) The ACL data includes all of the ACL entry
specifications except the permissions (described later) that are entered separately. The data is not interpreted; it is assumed that the
ACL Manager to which the data is being passed can understand that data. Delegated permissions for the object's real or effective owner.
Delegated permissions for the object's real or effective group. Delegated permissions for others in the local cell who are not otherwise
named by a more specific entry type. Delegated permissions for a specific principal user in the ACL's cell. This type of ACL entry must
include a key that identifies the specific principal. Delegated permissions for a specific group in the ACL's cell. This type of ACL
entry must include a key that identifies the specific group. Delegated permissions for a specific, authenticated user in a foreign cell.
This type of ACL entry must include a key that identifies the specific principal and the principal's cell. Delegated permissions for a
specific, authenticated group in a foreign cell. This type of ACL entry must include a key that identifies the specific group and the
group's cell. Delegated permissions for all authenticated principals in a specific foreign cell, unless those principals are specifically
named in an ACL entry of type foreign_user or foreign_user_delegate or are members in a group named in an entry of type foreign_group or
foreign_group_delegate. This type of ACL entry must include a key that identifies the specific foreign cell. Delegated permissions for
all authenticated principals unless those principals match a more specific entry in the ACL.
Key
The key identifier (principal, group name, or cell) specifies the principal or group to which the ACL entry applies. For entries of entry
type extended, key is the data passed from one ACL Manager to another. In some cases, such as when a registry object no longer exists but
an ACL entry still contains a reference to that object, key can be represented by a UUID. A key is required for the following types of ACL
entries: Requires a principal name only. Requires a group name only. Requires a fully qualified cell name in addition to the principal
name. Requires a fully qualified cell name in addition to the group name. Requires a fully qualified cell name. Requires a fully quali-
fied cell name, the principal name, and a key that identifies the principal and the principal's cell. Requires a fully qualified cell
name, the group name, and a key that identifies the group and the group's cell.
Permissions
The permissions argument specifies the set of permissions that defines the access rights conferred by the entry. Since each ACL Manager
defines the permission tokens and meanings appropriate for the objects it controls, the actual tokens and their meanings vary. For example
the Distributed File Service (DFS), the Directory Service, and the Security Service each implement a separate ACL Manager, and each can use
a different set of tokens and permissions. Use the permissions operation to display the currently available tokens and their meanings.
See the documentation for the DCE component you are using to obtain a more detailed description of its specific permissions.
ATTRIBUTES
Represents the default cell of the ACL. Manipulation of this attribute is possible only through the modify and show operations.
See the OSF DCE Administration Guide for more information about ACL attributes.
OPERATIONS
acl check
Returns the permissions granted by the ACL to the principal entering the command. The syntax is as follows: acl check acl_name_list
[-entry] [-type manager_type_name]
Options
Specifies that the command is to operate on the ACL of the namespace entry of the named object. Specifies that the command uses a particu-
lar ACL Manager. This option is needed only for objects that have more than one purpose, such as for principal names that also act as
directories.
The check operation returns the permissions granted in the specified object's ACL to the principal that invoked the command. The argument
is a list of names of object's whose ACLs are to be operated on. If you specify no options, the permissions from the ACL for the object
named by the operation are returned.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you are using to obtain a more detailed description of its specific per-
missions.
Examples
dcecp> acl check {006f859c-ed3d-1d57-a383-0000c0239a70@ncacn_ip_tcp:130.105.5.45 > principal/aaa} rwdtcia dcecp>
dcecp> acl check /.:/hosts rwdtcia dcecp>
acl delete
Deletes all ACL entries from the object, except the user_obj entry, if it exists. The syntax is as follows: acl delete acl_name_list [-ic
| -io | -entry] [-type manager_type_name] [-local]
Options
Specifies that the command is to operate on the Initial Container ACL of the named object. Specifies that the command is to operate on the
Initial Object ACL of the named object. Specifies that the command is to operate on the ACL of the namespace entry of the object. Speci-
fies that the command uses a particular ACL Manager. This option is needed only for objects that have more than one purpose, such as for
principal names that also act as directories. Specifies that the command is to operate on the ACL of a dced object while the dced on the
local machine is in partial service mode.
The delete operation removes all ACL entries from the object, except the user_obj entry, if it exists. Note that if you use delete on an
object whose ACL does not contain a user_obj ACL entry (either because the object's ACL Managers do not support user_obj entries or because
the ACL is empty), the command displays a "bad syntax" error.
The argument is a list of names of objects whose ACLs are to be operated on. This operation returns an empty string on success.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you are using to obtain a more detailed description of its specific per-
missions.
Examples
dcecp> acl delete {/.:/hosts/oddball/gumby /.:/pokey} dcecp>
acl help
Returns help information about the acl object and its operations. The syntax is as follows: acl help [operation | -verbose]
Options Displays information about the acl object.
Used without an argument or option, the acl help command returns brief information about each acl operation. The optional operation argu-
ment is the name of an operation about which you want detailed information. Alternatively, you can use the -verbose option for more
detailed information about the acl object itself.
Privileges Required
No special privileges are needed to use the acl help command.
Examples
dcecp> acl help check Returns ACL permissions of invoker. delete Deletes all ACL entries except 'user_obj' if
it exists. modify Adds, removes, or changes ACL entries and attributes. permissions Returns permissions associated
with an object. replace Replaces entire ACL with new ACL entries and attributes. show Returns ACL entries or
attributes on an object. help Prints a summary of command-line options. operations Returns a list of the valid
operations for this command. dcecp>
acl modify
Changes attributes and entries of ACLs. The syntax is as follows: acl modify acl_name_list [-ic | -io | -entry] [-type manager_type_name]
[-cell new_cell_name] {-add acl_entry_list_with_permissions [-mask {calc | nocalc}] | -change acl_entry_list_with_permissions [-mask {calc
| nocalc}] | -remove acl_entry_list_without_permissions [-uuid] | -purge} [-local]
Options Changes the value of the cell attribute by specifying the new default cell. It must be one value, not a list. The -cell option is
always applied before the other options. Note that changing the default cell of an ACL that has user or group ACL entries, or their dele-
gate counterparts, can be dangerous. The principal and groups mentioned in these ACL entries must be in the default cell. If the default
cell changes, these ACL entries must change as well. Adds the ACL entries to the ACL. The value of this option is a list of ACL entries
with permissions filled in. You can use the -mask option to force or prevent mask recalculation. Changes existing ACL entries in the ACL.
The value of this option is a list of ACL entries with permissions filled in. The permissions are the new permissions placed on the speci-
fied ACL entries. The ACL entries must exist in the ACL or an error occurs. You can use the -mask option to force or prevent mask recal-
culation. Removes existing ACL entries from the ACL. The value of this option is a list of ACL entries with no permissions. The ACL
entries must exist in the ACL or an error occurs. Purges all masked permissions (before any other modifications are made), in all ACL
entries except user_obj, other_obj, mask_obj, user_obj_delegate, other_obj_delegate, and unauthenticated if they exist. This option is
useful only for ACLs that contain an entry of type mask_obj. Indicates that the entries in the acl_entry_list_without_permissions argument
are UUIDs rather than names. If a modify operation causes a mask recalculation that unintentionally adds permissions to an existing ACL
entry, the modify operation ceases with an error unless you specify the -mask option with a value of either calc or nocalc, or a unique
abbreviation of one of these values.
Specifying calc creates or modifies the object's mask_obj type entry with permissions equal to the union of all entries other than type
user_obj, other_obj, mask_obj, and unauthenticated. This creation or modification is done after all other modifications to the ACL are
performed. The new mask is set even if it grants permissions previously masked out. It is recommended that you use this option only if
not specifying it results in an error. If you specify the calc option for an ACL Manager that does not support the mask_obj entry type, an
error is returned.
Specifying nocalc means that a new mask should not be calculated.
The -mask option can be used only if the -add or -change option is also used and only if the object's ACL Managers support the mask_obj ACL
type. In addition, you cannot use the -mask option if you specify a mask_obj ACL entry in the command (by using the -add or -change
options). Specifies that the operation act on the Initial Container ACL of the named object. Specifies that the operation act on the Ini-
tial Object ACL of the named object. Specifies that the operation act on the ACL of the namespace entry of the named object. Specifies
that the operation act on the ACL of a dced object while the dced on the local machine is in partial service mode. Specifies that the com-
mand uses a particular ACL Manager. This option is needed only for objects that have more than one purpose, such as for principal names
that also act as directories.
The modify operation changes one or more individual ACL entries. The argument is a list of names of ACLs to be modified. They are pro-
cessed in the order they are entered. The specific operation to perform is described by using options.
The -uuid option can be used to remove ACL entries associated with orphaned UUIDs. An orphaned UUID refers to an object such as a princi-
pal or group that has been deleted from the registry, but still has an ACL entry on an object.
Multiple actions can be specified on the command line; they are processed in a fixed order to guarantee proper processing of the ACLs. See
[POSIX.6] for a description of this processing order. Either all the changes specified in the operation are made or none are. This opera-
tion returns an empty string on success.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you are using to obtain a more detailed description of its specific per-
missions.
Examples
dcecp> acl modify /.:/hosts -add {user mahler rwcia} dcecp>
dcecp> acl modify /.:/hosts -change {user mahler rwdtcia} dcecp>
dcecp> acl modify /.:/hosts -add {group dce rwdtcia} -remove {user mahler} dcecp>
dcecp> acl modify /.:/hosts -remove {user 0c8a15fc-761e-11d0-a176-08000985b5a6} -uuid dcecp>
acl operations
Returns a list of the operations supported by the acl object. The syntax is as follows: acl operations
The list of available operations is in alphabetical order except for help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the acl operations command.
Examples
dcecp> acl operations check delete modify permissions replace show help operations dcecp>
acl permissions
Returns a list describing the permissions associated with an object. The syntax is as follows: acl permissions acl_name_list [-ic | -io |
-entry] [-type manager_type_name] [-local]
Options
Specifies that the command is to operate on the Initial Container ACL of the named object. Specifies that the command is to operate on the
Initial Object ACL of the named object. Specifies that the command is to operate on the ACL of the namespace entry of the named object.
Specifies that the command uses a particular ACL Manager. This option is needed only for objects that have more than one purpose, such as
for principal names that also act as directories. Specifies that the command is to operate on the ACL of a dced object while the dced on
the local machine is in partial service mode.
The permissions operation returns a list of the permissions associated with an object. For each permission, the operation shows the per-
mission token and a description of the permission. The manager_type_name argument is a list of names of ACL Manager types whose permis-
sions are to be returned. If more than one name is entered, the output is concatenated and a blank line inserted between each manager
type.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you are using to obtain a more detailed description of its specific per-
missions.
Examples
dcecp> acl permissions /.:/hosts {r {read entry attributes}} {w {update entry attributes}} {d {delete entry}} {t {test attribute values}}
{c {change ACL}} {i {create new directory entries}} {a {administer directory replication}} dcecp>
acl replace
Replaces the entire ACL on the object specified by the argument with the supplied value. The syntax is as follows: acl replace
acl_name_list [-ic | -io | -entry] [-type manager_type_name] -acl acl_entry_list [-cell new_default_cellname] [-local]
Options
Specifies that the operation act on the Initial Container ACL of the named object. Specifies that the operation act on the Initial Object
ACL of the named object. Specifies that the operation act on the ACL of the namespace entry of the named object. Specifies that the com-
mand use a particular ACL Manager. This option is needed only for objects that have more than one purpose, such as for principal names
that also act as directories. Specifies ACL entries and their new values. Specifies a new default cell for all of the ACLs named in
acl_entry_list. The -cell option is always applied before the other options. Specifies that the operation act on the ACL of a dced object
while the dced on the local machine is in partial service mode.
The replace operation replaces the entire ACL on the object specified by the argument with the supplied value. The argument is a list of
names of ACLs to be operated on. The syntax of the value of the -acl option is a list of ACL entries. The -cell option specifies the new
default cell of the ACL. Its value is the name of one cell only (it is not a list). This operation returns an empty string on success.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you are using to obtain a more detailed description of its specific per-
missions.
Examples
dcecp> acl replace /.:/hosts -acl {group dce rwdtcia} dcecp>
acl show
Returns a list of the ACL entries for the specified object. The syntax is as follows: acl show acl_name_list [-ic | -io | -entry] [-type
manager_type_name] [-cell | -managers] [-local]
Options Specifies that the command is to operate on the Initial Container ACL of the named object. Specifies that the command is to oper-
ate on the Initial Object ACL of the named object. Specifies that the command is to operate on the ACL of the namespace entry of the named
object. Specifies that the command uses a particular ACL Manager. This option is needed only for objects that have more than one purpose,
such as for principal names that also act as directories. Returns the default cell name for the ACL. Returns a list of ACL Managers
available for the named ACL. Specifies that the command is to operate on the ACL of a dced object while the dced on the local machine is
in partial service mode.
The show operation returns a list of the ACL entries for the specified object. The argument is a list of names of objects whose ACLs are
to be operated on. If more than one name is given, the output is concatenated and a blank line inserted between objects. If they exist,
the mask_obj and unauthenticated ACL entries are displayed first.
Note that since UUIDs and not names are stored in ACLs, dcecp may not be able to determine the name associated with an ACL entry. In this
case, the UUID is returned as the key instead of the name. dcecp may be unable to determine the name associated with an ACL entry if the
default cell stored in the ACL is incorrect, or if the users and groups specified in the user and group entries are not registered in the
default cell.
If a UUID replaces a name of a user and group, you can recover by adopting the orphaned UUID. To do this, create a new user or group using
the UUID found in the ACL. The name of the new user or group is then available.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use the permissions operation to display the currently available tokens
and their meanings. See the documentation for the DCE component you are using to obtain a more detailed description of its specific per-
missions.
Examples
dcecp> acl show /.:/hosts {unauthenticated r--t---} {user cell_admin rwdtcia} {user hosts/absolut/cds-server rwdtcia} {user hosts/abso-
lut/self rwdtcia} {user root rwdtcia} {group subsys/dce/cds-admin rwdtcia} {group subsys/dce/cds-server rwdtcia} {any_other r--t---} dcecp>
RELATED INFORMATION
Commands: dcecp(1m), dcecp_account(1m), dcecp_group(1m), dcecp_organization(1m), dcecp_principal(1m), dcecp_registry(1m), dcecp_xat-
trschema(1m).
acl(1m)