When a user tries to perform an operation on an object, DCE LFS examines the object's ACL to determine whether the user is granted the necessary permissions by an entry on the ACL. For example, to read a file, a user must be granted the read permission on the file (as well as the execute permission on each directory that leads to the file).
To determine a user's permissions for an object, DCE LFS evaluates the entries on the object's ACL according to the checking sequence described in the following list. DCE LFS stops evaluating the entries as soon as the user matches a condition described in the list. Evaluation proceeds to a condition in the checking sequence only if the user fails to match all of the previous conditions. (See the table in ACL Entry Types for Users and Groups for a description of the ACL entry types referred to in the following list.)
1. The user owns the object. DCE LFS grants the user the permissions specified with the user_obj entry. The permissions are not filtered through the mask_obj entry. Note that the user_obj entry always explicitly has the c permission; the c permission cannot be removed from the user_obj entry.
2. A user or foreign_user entry exists for the user. DCE LFS grants the user the permissions specified with the entry after filtering the permissions through the mask_obj entry.
3. The user belongs to the group that owns the object (the owning group's permissions are specified with the group_obj entry) or to any other groups that have group or foreign_group entries. If one or more group-related entries on the ACL apply, DCE LFS grants the user all of the permissions accrued from the applicable group entries after filtering the permissions through the mask_obj entry, if it exists. The user accrues permissions from all of the groups to which the user belongs.
4. The user is from the default cell. DCE LFS grants the user the permissions specified with the other_obj entry. The permissions are not filtered through the mask_obj entry.
5. The user belongs to a foreign cell that has a foreign_other entry. DCE LFS grants the user the permissions specified with the entry for that cell after filtering the permissions through the mask_obj entry.
6. The user is from a foreign cell that does not have a foreign_other entry. DCE LFS grants the user the permissions specified with the any_other entry, if it exists, after filtering the permissions through the mask_obj entry.
7. The user matches no entry. DCE LFS denies the user access to the object.
Before DCE LFS evaluates a user's permissions, DFS first determines whether the user is authenticated. If the user is authenticated, ACL evaluation proceeds as described in the previous list. If the user is not authenticated, DFS assigns the user the identity nobody and treats the identity as a foreign user from an unknown cell, regardless of the cell from which the unauthenticated user requests access to the object. ACL evaluation based on the identity nobody then proceeds accordingly.
When DCE LFS evaluates an ACL, it evaluates the more-specific entries before it evaluates the less-specific entries. Thus, the permissions granted to a group are applied to a user who is a member of the group only if the user is not granted permissions via the user_obj entry or a user or foreign_user entry. If an individual is granted one set of permissions as a user and another, wider set of permissions as a group member, the additional permissions granted to the group are not recognized; DCE LFS stops checking the ACL once it encounters the more-specific user-related entry.
For example, suppose user dale belongs to a group that has the read and write permissions on a file through the group_obj entry on the file's ACL. Suppose further that dale is also specified in a user entry that grants only the read permission. The relevant entries from the ACL follow (assume the mask_obj entry permits the r and w permissions):
{user dale r - - }
{group_obj rw - - }
Because the more-specific user entry is evaluated before the group_obj entry, DCE LFS denies dale write access for the file.
Note: A user can match both the user_obj entry and a user or foreign_user entry; in this case, the user is granted permissions from only the user_obj entry. Similarly, a group can match both the group_obj entry and a group or foreign_group entry; in this case, however, members of the group accrue permissions from both entries.
More:
ACL Evaluation for Local Access