Data Structures

type[:key]:permissions

where:

type
Identifies the role of the ACL entry.

key
Identifies the specific principal or group to whom the entry applies. For an entry type of extended, key contains the ACL data.

permissions
The ACL permissions.

The syntax of an ACL entry is a list of two or three elements. The first element is the type, the optional second element is the key, and the last element is the set of permission bits. The permission bits are represented as a single character if the permission is granted and as a hyphen (-) if it is not. An ACL is a list of ACL entries. An example of an ACL is as follows:

{unauthenticated -r-----}
{user_obj crwx---}
{user britten crwx---}
{user mahler -rwx---}
{foreign_user /.../C=US/O=OSF/OU=dce/pro/bach crwxidt}
{group_obj -rwx---}
{group dds -rwx---}
{any_other -r-----}, {extended c417faf8-8340-11c9-ace3-\
08001e5559bb.a.b.c.a1.4.0a0b0c0d -rwx---}

On output the above syntax is used, with one addition. If masking produces ineffective bits in an ACL entry, the entry has two additional elements. The first is the string effective and the second element is the set of effective permissions. This is added only for those ACL entries that have ineffective bits. For example:

{mask_obj -r-----}
{user_obj crwx---}
{user britten crwx--- effective -r-----}

On input, do not include the identifier effective or the effective permissions. You can enter permissions in any order, omitting hyphens (-) for permissions not granted. For example, the above ACL could be entered as:

{mask_obj r}
{user_obj crwx}
{user britten wcrx}

Defined ACL Entry Types

user_obj
Permissions for the object's real or effective user.

group_obj
Permissions for the object's real or effective group.

other_obj
Permissions for others in the local cell who are not otherwise named by a more specific entry type.

user
Permissions for a specific principal user in the ACL's cell. This type of ACL entry must include a key that identifies the specific principal.

group
Permissions for a specific group in the ACL's cell. This type of ACL entry must include a key that identifies the specific group.

foreign_user
Permissions for a specific, authenticated user in a foreign cell. This type of ACL entry must include a key that identifies the specific principal and the principal's cell.

foreign_group
Permissions for a specific, authenticated group in a foreign cell. This type of ACL entry must include a key that identifies the specific group and the group's cell.

foreign_other
Permissions for all authenticated principals in a specific foreign cell, unless those principals are specifically named in an ACL entry of type foreign_user or are members in a group named in an entry of type foreign_group. This type of ACL entry must include a key that identifies the specific foreign cell.

any_other
Permissions for all authenticated principals unless those principals match a more specific entry in the ACL.

mask_obj
Permissions for the object mask that is applied to all entry types except user_obj, other_obj, and unauthenticated.

unauthenticated
Maximum permissions applied when the accessor does not pass authentication procedures. This entry is used for principals that have failed authentication due to bad keys, principals who are entirely outside of any authentication cell, and principals who choose not to use authenticated access. Permissions granted to an unauthenticated principal are masked with this entry, if it exists. If this entry does not exist, access to unauthenticated principals is always denied.

extended
A special entry that allows client applications running at earlier DCE versions to copy ACLs to and from ACL Managers running at the current DCE version without losing any data. The extended entry allows the application running at the lower version to obtain a printable form of the ACL. The extended ACL entry has the following form:

extended:uuid.ndr.ndr.ndr.ndr.number_of_bytes.data

where:

uuid
Identifies the type extended ACL entry. (This UUID can identify one of the ACL entry types described here or an as-yet-undefined ACL entry type.)

ndr.ndr.ndr.ndr
Up to three network data representation (NDR) format labels (in hexadecimal format and separated by periods) that identify the encoding of data.

number_of_bytes
A decimal number that specifies the total number of bytes in data.

data
The ACL data in hexadecimal form. (Each byte of ACL data is two hexadecimal digits.) The ACL data includes all of the ACL entry specifications except the permissions (described later) that are entered separately. The data is not interpreted; it is assumed that the ACL manager to which the data is being passed can understand that data.

user_obj_delegate
Delegated permissions for the object's real or effective user.

group_obj_delegate
Delegated permissions for the object's real or effective group.

other_obj_delegate
Delegated permissions for others in the local cell who are not otherwise named by a more specific entry type.

user_delegate
Delegated permissions for a specific principal user in the ACL's cell. This type of ACL entry must include a key that identifies the specific principal.

group_delegate
Delegated permissions for a specific group in the ACL's cell. This type of ACL entry must include a key that identifies the specific group.

foreign_user_delegate
Delegated permissions for a specific, authenticated user in a foreign cell. This type of ACL entry must include a key that identifies the specific principal and the principal's cell.

foreign_group_delegate
Delegated permissions for a specific, authenticated group in a foreign cell. This type of ACL entry must include a key that identifies the specific group and the group's cell.

foreign_other_delegate
Delegated permissions for all authenticated principals in a specific foreign cell, unless those principals are specifically named in an ACL entry of type foreign_user or foreign_user_delegate or are members in a group named in an entry of type foreign_group or foreign_group_delegate. This type of ACL entry must include a key that identifies the specific foreign cell.

any_other_delegate
Delegated permissions for all authenticated principals unless those principals match a more specific entry in the ACL.

Key
The key identifier (principal or group name) specifies the principal or group to which the ACL entry applies. For entries of entry type extended, key is the data passed from one ACL Manager to another. A key is required for the following types of ACL entries:

user
Requires a principal name only.

group
Requires a group name only.

foreign_user
Requires a fully qualified cell name in addition to the principal name.

foreign_group
Requires a fully qualified cell name in addition to the group name.

foreign_other
Requires a fully qualified cell name.

foreign_user_delegate
Requires a fully qualified cell name, the principal name, and a key that identifies the principal and the principal's cell.

foreign_group_delegate
Requires a fully qualified cell name, the group name, and a key that identifies the group and the group's cell.

Permissions
The permissions argument specifies the set of permissions that defines the access rights conferred by the entry. Since each ACL manager defines the permission tokens and meanings appropriate for the objects it controls, the actual tokens and their meanings vary. For example, the Distributed File Service (DFS), the Directory Service, and the Security Registry Service each implement a separate ACL manager, and each can use a different set of tokens and permissions. This means that file system objects, objects in the namespace, and registry objects could each use different permissions. Use the permissions operation to display the currently available tokens and their meanings. See the documentation for the DCE component you are using to obtain a more detailed description of its specific permissions.