PreviousNext

Overview of DCE Authorization for CDS

CDS authorization allows you to control user access to the following CDS components:

· Names that are stored in the namespace, including clearinghouses, directories, object entries, soft links, and child pointers

· Execution of privileged CDS clerk and server commands

You control access to a name in the namespace by creating an access control list (ACL). An ACL contains individual ACL entries that specify the permissions you grant a user (principal) to the name with which the ACL is associated. The ACL entries that you create collectively determine which principals can use the name and what management operations they are allowed to perform on it.

CDS ACL management software, incorporated into all CDS clerks and servers, performs access checking for incoming CDS requests. When a principal requests an operation on a CDS name, ACL management software on a server that stores the name examines the ACL entries associated with the name. The software then grants or denies the operation, based on the permissions granted to the requesting principal in the ACL entries. Similarly, when a principal requests a privileged operation on a CDS clerk or server, ACL management software on that system examines the ACL entries that are associated with the principal name that represents the clerk or server. The software then grants or denies the operation, based on the permissions granted to the requesting principal in the ACL entries.

The DCE control program (dcecp) provides commands that add, modify, copy, delete, and display ACLs that are associated with CDS names, clerks, and servers. See the OSF DCE Command Reference for detailed information on the commands. The remainder of this topic describes DCE authorization as it applies specifically to CDS. Before you try to create or modify permissions to CDS names, clerks, or servers, read Part 6 of this guide for complete information on the DCE authorization mechanism.