PreviousNext

Defining the ACL Managers for Attributes

When you define an extended attribute type, you must define the objects to which the attribute can be attached and the permissions to access the attribute. To do this, you associate an attribute type with one or more ACL managers, and you supply the permission sets that control access to attribute instances of that type. The attribute can be attached only to the objects that are supported by the ACL manager types named in its ACL manager set. And, only the permissions named in the ACL manager set are valid for accessing the attribute instance. (Note that these permissions are in addition to the permissions already established by the ACL manager for the object it controls.) For example, suppose an ACL manager set for an attribute type named MVSname lists only the ACL manager type for principals. Then, instances of the attribute type named MVSname can be attached only to principals and not any other registry objects. The ACL manager set for the MVSname attribute also contains the permissions that control access to the MVSname attribute.

Use the dcecp xattrschema -aclmgr option to specify an attribute's ACL manager set. This option has the following form:

{mgr_uuid queryset updateset testset deleteset }

where:

mgr_uuid
Is the UUID that identifies the ACL manager to be associated with the attribute type. You can supply either the UUID or one of the following shorthand names (which are converted internally to a UUID) to access the ACL manager types provided by DCE:

policy
To access the ACL manager for the policy object.

principal
To access the ACL manager for principals.

group
To access the ACL manager for groups.

organization
To access the ACL manager for organizations.

secdirectory
To access the ACL manager for directories in the registry database.

replist
To access the ACL manager for the replica list.

xattrschema
To access the ACL manager for the registry schema.

srvrconf
To access the ACL manager for the dced object.

queryset
Is the permission set to query instances of the attribute.

updateaset
Is the permission set to modify instances of the attribute.

testset
Is the permission set to test instances of the attribute.

deleteset
Is the permission to delete instances of the attribute.

To enter a permission set with more than one permission, concatenate the permissions; for example, to enter the permissions t, M, and d, enter tMd.

Enclose each ACL manger type's information in braces and leave a space between each item (except, of course, between items in the concatenated permission sets).

For example, consider the following command to define an addition ACL Manager for the MVS_name attribute:

dcecp> xattrschema modify /.:/sec/xattrschema/MVS_name \
-aclmgr {18dbdad2-23df-11cd-82d4-080009251352 r w t mD}
dcecp>

The command adds an ACL manager identified by the UUID 18dbdad2-23df-11cd-82d4-08000925135 to the MVS_name attribute. The permissions sets for the ACL manager are as follows:

· r is the query permission set

· w is the update permission set

· t is the test permission set

· mD is the delete permission set

Note that you cannot modify or delete an attribute type's ACL manager set. However, you can add additional manager types to it.