The Default Cell and ACL Inheritance

With respect to ACLs, local users and foreign users are defined in terms of an ACL's default cell as follows:

· A local user is one whose local cell is the same as the default cell of an ACL. The following entry types are defined for local users and groups:

- user_obj

- group_obj

- other_obj

- user

- group

For example, an entry of the type user username specifies the permissions for the user username whose local cell is the same as the default cell of the ACL.

· A foreign user is one whose local cell is different from the default cell of an ACL. The following entry types are defined for foreign users and groups:

- foreign_user

- foreign_group

- foreign_other

- any_other

For example, an entry of the type foreign_user cell_name/username specifies the permissions for the user username from the cell cell_name. (The cell_name of a foreign_ entry is usually different from the default cell of an ACL, but it does not have to be.)

A directory's Object ACL, Initial Object Creation ACL, and Initial Container Creation ACL each have their own default cells. When a file or directory object is initially created, the default cell of its Object ACL is set to the local cell of the user who creates the object (the object's owner, who is named with the user_obj entry). The default cells of a new directory's Initial Creation ACLs are also set to the local cell of the user who creates the directory.

Listing an ACL's Default Cell

To determine the default cell of an ACL, include the -cell option with the dcecp acl show command, as follows:

dcecp> acl show pathname -cell

/.../cell_name

For example, the output for an ACL whose default cell is abc.com is the following:

/.../abc.com

Changing an ACL's Default Cell

To change the default cell of an ACL, use the -cell option with the dcecp acl modify command. If you indicate multiple changes with the command, the change to the default cell is applied before any other changes are applied.

The default cell of the Object ACL for an object can be changed only by a cell administrator for the File Server machine on which the object resides. The default cell of an Initial Creation ACL for a directory can be changed by any user who has the c permission on the directory's Object ACL, which always includes the owner of the directory, or by a cell administrator for the File Server machine on which the object resides. (Cell administrators are members of the group specified with the -admingroup option of the fxd command issued on the File Server machine.)

Although you can make the default cells of a directory's Object ACL, Initial Object Creation ACL, and Initial Container Creation ACL different from one another, this is not recommended. Changing each of a directory's ACLs to have different default cells can make it difficult to predict the effects of ACL inheritance. Also, because the default cell of an object's Object ACL is determined by the local cell of the user who creates the object, not by the default cell of the Initial Creation ACL that the object inherits, changing the default cell of an Initial Creation ACL is of limited utility.

Note that changing an ACL's default cell by including the -cell option with the dcecp acl modify command changes the meaning of the ACL's entries. For example, the other_obj entry no longer applies to users from the former default cell; it now applies to users from the new default cell. Also, entry types such as user_obj and user, which are defined with respect to an ACL's default cell, can now give permissions to different users in the new default cell.

If you change the default cell of an ACL, make sure you also change any user and group entries on the ACL to foreign_user and foreign_group entries as necessary. You may also want to change any foreign_user and foreign_group entries that apply to the new default cell to user and group entries.