PreviousNext

Using Principal and Group ACL Entries

When a security mechanism applies ACLs, the ACL entries are chosen in a particular order. The most specific ones are chosen before the less specific.

In using the ACL entry types for principals and groups, think of the user_obj, group_obj, and other_obj types as being similar to the POSIX file permissions of user, group and other. Use the user and group types to specify permissions for a specific principal or group.

The user_obj, group_obj, other_obj, user, and group entry types apply to principals and groups in the default cell of the ACL. To set permissions for specific principals and groups in a foreign cell, use the foreign_user and foreign_group entries. These entries set permissions in a foreign cell in the same way that user and group entries do in the default cell. Use foreign_other to set permissions for others in the foreign cell, in the same way that other_obj does for others in the default cell.

The any_other entry type sets permissions for all local and foreign principals to which the other entry types do not apply. If any of the other types of entries are set for a local or foreign principal either explicitly or implicitly, the any_other entry will not be applied. This is because once the manager finds a match between a principal and an entry, it stops examining the ACL list and applies the found entry (or in the case of groups, entries). All other ACL entry types, except for mask types, are examined by the ACL manager to see if a match exists before the ACL manager examines the any_other entry type. See The Checking Sequence for ACL Entries for details of the order of ACL checking.