Library /sys$common/syshlp/helplib.hlb
DCE_SECURITY, Admin Intro, acl_edit

 *Conan The Librarian (sorry for the slow response - running on an old VAX)

      acl_edit - Edits or lists an object's ACLs


      acl_edit {[-e] pathname | -addr string_binding component_name}
                [-ic | -io] [-n | -c] [command_line_subcommands] [-ngui]


      -e pathname      Specifies that the ACL on the Directory Service
                       entry is to be edited.  You must specify the
                       pathname argument if you use the -e option.  The
                       -e option is especially useful in case of an
                       ambiguous pathname.  The pathname argument can be
                       interpreted in two ways if it is the name of a
                       leaf object in the Directory Service (that is, if
                       it is not the name of a directory).  It can be
                       interpreted as the Directory Service entry itself,
                       or as the object (whatever it is) referenced by
                       that Directory Service entry.  When such a path-
                       name is specified, the -e option directs acl_edit
                       to the ACL on the Directory Service entry.

      -addr string_binding component_name
                       The -addr option lets you identify the object
                       whose ACLs you want to edit by supplying the RPC
                       binding handle of the ACL Manager that controls
                       access to the object (with the string_binding
                       argument) and the relative pathname of the object
                       (with the component_name argument).  Because you
                       have identified the RPC binding handle, you can
                       specify only the object's relative pathname for
                       component_name.  The most common way to identify
                       the object whose ACLs you want to manipulate is
                       through the pathname argument, described below.
                       The -addr option is used primarily by applications
                       that do not use the Directory Service, but do use
                       the generic ACL Manager.  It can also be used if
                       the Directory Service is unavailable.

      -ic              For container objects only, specifies that the
                       object's Initial Container Creation ACL is to be
                       edited.  The Initial Container Creation ACL is
                       applied by default to any containers created
                       within the ACL'd container. If this option is
                       specified and the object named in pathname is not
                       a container, an error is returned.

      -io              For container objects only, specifies that the
                       object's Initial Object Creation ACL is to be
                       edited. The Initial Object Creation ACL is applied
                       by default to any simple objects (that is, objects
                       that are not containers) created within the ACL'd
                       container.  If this option is specified and the
                       object is not a container, an error is returned.

      -n               Specifies that a new mask should not be calculated.
                       This option is useful only for objects that
                       support the mask_obj entry type and that are
                       required to recalculate a new mask after they are
                       modified.  If a modify operation creates a mask
                       that unintentionally adds permissions to an
                       existing acl entry, the modify causing the mask
                       recalculation will abort with an error unless you
                       specify either the -c or -n option.

      -c               Creates or modifies the object's mask_obj type
                       entry with permissions equal to the union of all
                       entries other than type user_obj, other_obj, and
                       unauthenticated.  This creation or modification is
                       done after all other modifications to the ACL are
                       performed.  The new mask is set even if it grants
                       permissions previously masked out. It is
                       recommended that you use this option only if not
                       specifying it results in an error. This option is
                       useful only for objects that support the mask_obj
                       entry type and are required to recalculate a new
                       mask after they are modified.  If a modify
                       operation creates a mask that unintentionally adds
                       permissions to an existing acl entry, the modify
                       causing the mask recalculation will abort with an
                       error unless you specify either the -c or -n option.
                       If you specify the -c option for an ACL that does
                       not support mask_obj entry type, acl_edit returns
                       an error when it attempts to save the ACL, aborting
                       all subcommands supplied on the command line.

      -ngui            Specifies that a Graphical User Interface (GUI)
                       should not be used even if a GUI is available.
                       If your version of acl_edit supports a GUI and
                       your terminal is capable of using it, invoking
                       acl_edit without this option will bring up the GUI
                       mode.  Use the -ngui option to bring up command-
                       line mode.  However, if a GUI is not available, or
                       the terminal is not capable of using the GUI,
                       acl_edit comes up in command-line mode regardless
                       of wheter you supply this option or not.

      -v               Run in verbose mode.


      pathname         The full pathname of the object whose ACL is to be
                       viewed or edited. If the object is in another
                       cell, pathname must be fully qualified to include
                       the cell identifier.

                       The command-line subcommands, which act on the
                       object specified by pathname, are entered as part
                       of the command string that invokes acl_edit. Only
                       one command-line subcommand can be specified per
                       invocation.  The commands follow.  See the
                       description of the equivalent interactive
                       subcommand for a more detailed description of the
                       command functions.

                       -m [acl_entry] acl_entry...
                                 Adds a new ACL entry or changes the
                                 permissions of an existing entry. You
                                 can enter multiple entries, each
                                 separated by a space.

                         -p      Purges all masked permissions (before
                                 any other modifications are made).  This
                                 option is useful only for ACLs that
                                 contain an entry of type mask_obj.  Use it
                                 to prevent unintentionally granting
                                 permissions to an existing entry when a
                                 new mask is calculated as a result of
                                 adding or modifying an ACL entry.

                         -d [acl_entry] acl_entry...
                                 Deletes an existing entry from the ACL
                                 associated with the specified object.
                                 You can enter multiple entries, each
                                 separated by a space.

                         -s [acl_entry] acl_entry...
                                 Replaces (substitutes) the ACL information
                                 associated with this object with
                                 acl_entry. All existing entries are
                                 removed and replaced by the newly
                                 specified entries. If you specify the -s
                                 subcommand, you cannot specify the -f or
                                 -k subcommand.  You can enter multiple
                                 entries, each separated by a space.

                         -f file Assigns the ACL information contained in
                                 file to the object.  All existing entries
                                 are removed and replaced by the entries
                                 in the file. If you specify the -f sub-
                                 command, you cannot specify the -s or -k

                         -k      Removes all entries, except entries of
                                 type user_obj (if they are present).
                                 If you specify the -k subcommand, you
                                 cannot specify the -f or -s subcommand.

                         -l      Lists the entries in the object's ACL.

  The command-line subcommands are evaluated in the following order:


               -s or -f or -k





  With the exception of the following subcommands, this command is replaced
  at Revision 1.1 by the dcecp command.  This command may be fully replaced
  by the dcecp command in a future release of DCE, and may no longer be
  supported at that time.

     +  abort

     +  commit

     +  exit

     +  help

     +  test access


  The acl_edit command is a client program that, when invoked, binds to the
  specified object's ACL Manager (which is implemented in the object's
  server), and allows the user to manipulate the object's ACL through the
  standard DCE ACL interface. This interface is the sec_acl_...() interface
  documented in the OSF DCE Application Development Reference.

  The acl_edit command automatically binds to the server of the object
  specified, and then communicates (through the standard DCE ACL interface)
  with that server's ACL manager in response to user input.

  Exactly what the object "specified" is depends partly on whether or not
  the -e option is specified. Specifying -e means that you want to operate
  on the Directory Service ACL - in other words, you want acl_edit to bind
  to the CDS server and allow you to operate on the ACL maintained by that
  server on the object's directory entry. If, on the the ACL on the object
  to which the directory entry refers - then you simply omit the -e option.
  The result will be that acl_edit will bind to that object's server (the
  server must, of course, implement an ACL manager), giving you access to
  the object's ACL.

  All acl_edit subcommands act on the object specified by pathname when you
  invoked acl_edit.  You can invoke acl_edit in either command-line or
  interactive mode:

     +  To invoke acl_edit in command-line mode, enter the command, the
        object's pathname, options, and the command-line subcommand on the
        line that invokes acl_edit. Only one command-line subcommand can be
        entered per acl_edit invocation.

     +  To invoke acl_edit in interactive mode, enter only acl_edit, the
        object's pathname, and options.  The acl_edit prompt is then
        displayed.  In this mode, you enter interactive subcommands that
        let you edit and view entries in the object's ACL and view help
        information about the acl_edit command itself.

  Changes you make in command-line mode are saved when you enter the

  In interactive mode, you must explicitly save your changes. To do so, use
  the commit subcommand to save the changes without exiting acl_edit or the
  exit subcommand to save the changes and exit acl_edit.  Use the abort
  subcommand to exit acl_edit and save none of the changes you have made.
  When you invoke acl_edit for a specific object's ACL, that ACL is not
  locked.  This means that it is possible for multiple users to edit the
  ACL simultaneously, with each change overwriting the previous changes.
  For this reason, the number of users assigned rights to change a
  particular ACL should be tightly controlled and limited to one user if


  The following subcommands are available when acl_edit is invoked in
  interactive mode. All of the commands act on the ACL associated with the
  object specified by pathname when acl_edit was invoked.

  ?         Displays the available acl_edit subcommands.

  ab[ort]   Exits acl_edit without saving the changes to the object's ACL.

  as[sign] filename
            Applies the ACL entries in filename to the specified object.
            This subcommand removes existing entries and replaces them with
            the entries in the file.

  c[ell] name
            Sets the cell name to be associated with the ACL. This sub-
            command is used primarily to facilitate copying ACLs to
            different cells.  The default cell name stays in place until
            you run the subcommand again to change it.

  co[mmit]  Saves all changes to the ACL without exiting.

  d[elete] acl_entry
            Deletes the specified ACL entry.

  e[xit]    Exits from acl_edit, saving any changes to the object's ACL.

            Displays the permissions granted in the specified object's ACL
            to the principal that invoked acl_edit.

  h[elp] [command ...]
            Initiates the help facility.  If you enter only the command
            help, acl_edit displays a list of all commands and their
            functions.  If you enter help and a command (or commands
            separated by a space), acl_edit displays help information on
            the specified commands.  Entering help sec_acl_entry displays
            information about ACL entries.

            Removes all ACL entries except the user_obj entry if it exists.

  l[ist]    Lists the entries in the object's ACL.

  m[odify] acl_entry [-n | -c]
            Adds a new ACL entry or replaces an existing ACL entry.  This
            command affects a single ACL entry.  To add or replace all of
            an object's ACL entries, see the su[bstitute] subcommand.  For
            objects that support the mask_obj entry type and are required
            to calculate a new mask when their ACLs are modified, the -n
            option specifies that a new mask should not be calculated; the
            -c option specifies that the object's mask_obj entry should
            have permissions equal to the union of all entries other than
            user_obj, other_obj, and unauthenticated.  The mask is
            calculated after the ACL is modified.
            If you use the -c option, the new mask is set even if it
            grants permissions previously masked out. It is recommended
            that you use the -c option only if not specifying it results
            in an error.  If the new mask unintentionally grants
            permissions to an existing entry, the modify operation
            causing the mask recalculation will abort with an error
            unless you specify either the -c or -n option.

            Lists the available permission tokens and explanations.

  pu[rge]   Purges all masked permissions.  This option is useful only for
            ACLs that contain an entry of type mask_obj.  Use it to prevent
            unintentionally granting permissions to an existing entry when
            a new mask is calculated as a result of adding or modifying an
            ACL entry.

  su[bstitute] acl_entry [acl_entry ...]
            Replaces all ACL entries with the one or ones specified.  This
            subcommand removes all existing entries and adds the ones
            specified by acl_entry.  To replace only a single ACL entry,
            see the m[odify] subcommand.

  t[est_access] [permissions ...]
            Tests whether or not the permissions specified in the command
            are granted to the principal under whose DCE identity the
            acl_edit command was invoked.  The option returns Granted if
            the permissions are granted or Denied if they are not.


  An ACL entry has the following syntax:



      type           Identifies the role of the ACL entry.

      key            Identifies the specific principal or group to whom
                     the entry applies. For an entry type of extended,
                     key contains the ACL data.

      permissions    The ACL permissions.

  A thorough description of each syntax component follows.

  Type            The type tag identifies the role of the ACL entry.
                  Valid types are the following:

                  + user_obj  - Permissions for the object's real or
                                effective user.

                  + group_obj - Permissions for the object's real or
                                effective group.

                  + other_obj - Permissions for others in the local cell
                                who are not otherwise named by a more
                                specific entry type.

                  + user      - Permissions for a specific principal
                                user in the ACL's cell.  This type of
                                ACL entry must include a key that
                                identifies the specific principal.

                  + group     - Permissions for a specific group in the
                                ACL's cell. This type of ACL entry must
                                include a key that identifies the
                                specific group.

                  + foreign_user
                                Permissions for a specific, authenticated
                                user in a foreign cell. This type of ACL
                                entry must include a key that identifies
                                the specific principal and the principal's

                  + foreign_group
                                Permissions for a specific, authenticated
                                group in a foreign cell. This type of ACL
                                entry must include a key that identifies
                                the specific group and the group's cell.

                  + foreign_other
                                Permissions for all authenticated
                                principals in a specific foreign cell,
                                unless those principals are specifically
                                named in an ACL entry of type foreign_user
                                or members in a group named in an entry of
                                type foreign_group.  This type of ACL
                                entry must include a key that identifies
                                the specific foreign cell.

                  + any_other - Permissions for all authenticated
                                principals unless those principals match
                                a more specific entry in the ACL.

                  + mask_obj  - Permissions for the object mask that is
                                applied to all entry types except user_obj,
                                other_obj, and unauthenticated.

                  + unauthenticated
                                Maximum permissions applied when the
                                accessor does not pass authentication
                                procedures.  This entry is used for
                                principals that have failed authentica-
                                tion due to bad keys, principals who
                                are entirely outside of any authentication
                                cell, and principals who choose not to use
                                authenticated access.  Permissions granted
                                to an unauthenticated principal are masked
                                with this entry, if it exists.  If this
                                entry does not exist, access to unauthenti-
                                cated principals is always denied.

                  +  extended - A special entry that allows client
                                applications running at earlier DCE
                                versions to copy ACLs to and from ACL
                                Managers running at the current DCE
                                version without losing any data.  The
                                extended entry allows the application
                                running at the lower version to obtain a
                                printable form of the ACL.  The extended
                                ACL entry has the following form:



                                uuid    Identifies the type extended ACL
                                        entry. (This UUID can identify
                                        one of the ACL entry types
                                        described here or an as-yet-
                                        undefined ACL entry type.)

                                        Up to three Network Data
                                        Representation (NDR) format labels
                                        (in hexadecimal format and
                                        separated by periods) that
                                        identify the encoding of data.

                                        A decimal number that specifies
                                        the total number of bytes in data.

                                data    The ACL data in hexadecimal form.
                                        (Each byte of ACL data is two
                                        hexadecimal digits.) The ACL data
                                        includes all of the ACL entry
                                        specifications except the
                                        permissions (described later) that
                                        are entered separately.  The data
                                        is not interpreted; it is assumed
                                        that the ACL Manager to which the
                                        data is being passed can understand
                                        that data.


  The key identifier (principal or group name) specifies the principal or
  group to which the ACL entry applies.  For entries of entry type
  extended, key is the data passed from one ACL Manager to another. A key
  is required for the following types of ACL entries:

     +  user          - Requires a principal name only.

     +  group         - Requires a group name only.

     +  foreign_user  - Requires a fully qualified cell name in addition to
                        the principal name.

     +  foreign_group - Requires a fully qualified cell name in addition to
                        the group name.

     +  foreign_other - Requires a fully qualified cell name.


  The permissions argument specifies the set of permissions that defines
  the access rights conferred by the entry. Since each ACL Manager defines
  the permission tokens and meanings appropriate for the objects it
  controls, the actual tokens and their meanings vary.  For example, the
  Distributed File Service, the Directory Service, and the Security
  Registry Service each implement a separate ACL Manager, and each can use
  a different set of tokens and permissions.  This means that file system
  objects, objects in the namespace, and registry objects could each use
  different permissions.  Use the p[ermissions] subcommand to display the
  currently available tokens and their meanings. See the documentation for
  the DCE component you are using to obtain a more detailed description of
  its specific permissions.


   1.  The following example uses the interactive interface to set permis-
       sions for the unauthenticated and mask_obj entry type:

             sec_acl_edit> m mask_obj:rwx
             sec_acl_edit> m unauthenticated:r

   2.  The following example uses the interactive interface to set permis-
       sions for the effective user, group, and others in the ACL's cell:

             sec_acl_edit> m user_obj:crwx
             sec_acl_edit> m group_obj:rwx
             sec_acl_edit> m other_obj:rwx

   3.  The following example uses the command-line interface to invoke
       acl_edit and assign permissions for the file progress_chart to the
       authenticated user mike in the local cell:

       % acl_edit /.../ -m user:mike:cx

       Note that because this entry will be filtered through the object
       mask (mask_obj), which specifies only rwx permissions, the actual
       permissions will be rwx, not crwx. The l(ist) subcommand will show
       those permissions as follows:

             user:mike:crwx  #effective -rwx---

   4.  The following example uses the interactive interface to set permis-
       sions for the authenticated foreign user named burati in the cell
       named /.../

       sec_acl_edit> m foreign_user:/.../

   5.  The following example uses the non-interactive command-line inter-
       face to invoke acl_edit and set the Initial Container Creation
       permissions for the directory that is named walden:

       % acl_edit /.../  -ic  -m /user:walden:crwxid
  Close     HLB-list     TLB-list     Help  

[legal] [privacy] [GNU] [policy] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.