Defining the ACL Managers for Attributes
When you define an extended attribute type, you must define the objects to which the attribute can be attached and the permissions to access the attribute. To do this, you associate an
attribute type with one or more ACL managers, and you supply the permission sets that control access to attribute instances of that type. The attribute can be attached only to the objects that are
supported by the ACL manager types named in its ACL manager set. And, only the permissions named in the ACL manager set are valid for accessing the attribute instance. (Note that these permissions
are in addition to the permissions already established by the ACL manager for the object it controls.) For example, suppose an ACL manager set for an attribute type named MVSname lists only
the ACL manager type for principals. Then, instances of the attribute type named MVSname can be attached only to principals and not any other registry objects. The ACL manager set for the
MVSname attribute also contains the permissions that control access to the MVSname attribute.
Use the dcecp xattrschema -aclmgr option to specify an attribute's ACL manager set. This option has the following form:
{mgr_uuid queryset updateset testset deleteset }
where:
mgr_uuid Is the UUID that identifies the ACL manager to be associated with the attribute type. You can supply either the UUID or one of the following shorthand names (which are
converted internally to a UUID) to access the ACL manager types provided by DCE:
policy To access the ACL manager for the policy object.
principal To access the ACL manager for principals.
group To access the ACL manager for groups.
organization To access the ACL manager for organizations.
secdirectory To access the ACL manager for directories in the registry database.
replist To access the ACL manager for the replica list.
xattrschema To access the ACL manager for the registry schema.
srvrconf To access the ACL manager for the dced object.
queryset Is the permission set to query instances of the attribute.
updateaset Is the permission set to modify instances of the attribute.
testset Is the permission set to test instances of the attribute.
deleteset Is the permission to delete instances of the attribute.
To enter a permission set with more than one permission, concatenate the permissions; for example, to enter the permissions t, M, and d, enter tMd.
Enclose each ACL manger type's information in braces and leave a space between each item (except, of course, between items in the concatenated permission sets).
For example, consider the following command to define an addition ACL Manager for the MVS_name attribute:
dcecp> xattrschema modify /.:/sec/xattrschema/MVS_name \ -aclmgr {18dbdad2-23df-11cd-82d4-080009251352 r w t mD} dcecp>
The command adds an ACL manager identified by the UUID 18dbdad2-23df-11cd-82d4-08000925135 to the MVS_name attribute. The permissions sets for the ACL manager are as follows:
· r is the query permission set
· w is the update permission set
· t is the test permission set
· mD is the delete permission set
Note that you cannot modify or delete an attribute type's ACL manager set. However, you can add additional manager types to it.
|