ACL Editors and Browsers

Once an object's ACL is retrieved, the editor can call sec_acl_get_printstring( ) to receive instructions about how to display the permissions of the ACL in a human-readable form. This call returns a symbol or word for each permission (a character string), and also a bitmask, with a bit (or bits) set to encode the permission. In addition, the print string structure includes a short explanation of each permission.

An ACL cannot be modified in part. To change an ACL, an editor must read the entire ACL (the sec_acl_t structure), modify it, and replace it entirely by calling sec_acl_replace( ). If the ACL manager supports the mask_obj mask type, you can use sec_acl_calc_mask( ) to calculate a new sec_acl_e_type_mask_obj entry type. This function is supported for POSIX compatibility only, for those applications that use mask_obj with its POSIX semantics. Accordingly, sec_acl_calc_mask( ) returns the union of the permissions of all ACL entries other than user_obj, other_obj, unauthenticated (and the pre-existing mask_obj). These correspond approximately to what POSIX calls the "File Group Class'' of ACL entries, although that designation is not appropriate in the DCE context. In particular, sec_acl_calc_mask( ) works independently of DCE DFS.

Use the sec_acl_get_manager_types_semantics( ) routine to obtain the required POSIX semantics and determine if the manager to which the ACL list will be submitted supports the sec_acl_e_type_mask_obj entry type.

An ACL can occupy a substantial amount of memory. The memory management routine, sec_acl_release( ), frees the memory occupied by an ACL, and returns it to the pool. This is implemented strictly as a local operation.