Using Names with the dcecp acl Command
Unlike other dcecp security commands, the dcecp acl command works with ACLs that can be maintained by DCE services other than security. Like any generic tool that operates on objects that can exist in different namespaces, dcecp acl requires the object's fully qualified CDS path name instead of just object_name.
For example, to use the dcecp acl command to change the ACL that is associated with principal bach's registry account, you must enter the following fully qualified name:
/.../dresden.com/sec/principal/bach
or
/.:/sec/principal/bach
Note also that, to use dcecp acl to manipulate the ACL that is on the principal directory of the registry database, and thus control who can add or delete principals, you must enter the following fully qualified name:
/.../dresden.com/sec/principal
In a hierarchical cell, one name can represent a directory and a principal. For example assume that a principal name is stored in Cell A's registry to represent a cell with which Cell A engages in cross-cell authentication. The name for the cell in the registry is
/.:/sec/principal/vienna.com
This cell name can also represent the name of a directory, such as
/.:/sec/principal/vienna.com/violinists_cell
For these cases, the dcecp acl command provides an option that identifies whether you are entering a directory name or a principal name.