When an application server reads through a list of ACL entries, it looks for a match between the user that wants access and the entries listed in the ACL. When the server finds a match, it examines the permissions in the matching ACL entries and applies the appropriate masks to them. If the permissions that result grant the requested access, the server grants it to the user; if not, access is denied.
More specifically, the checking sequence is as follows:
1. First, the application server checks the user entries to see if they match the requesting user; it checks the entries in the following order:
· object owner
· user
The application server stops all entry checking at the first matching entry it finds; now it has the permissions for the matching entry.
2. If the application server does not find a match in the previous step, it checks the following group entries in the following order:
· owner's group
· group
All of these group entries are checked. If the application server finds a match between the requesting user, and a member of a group in the group entries, it adds that group's permissions to the permissions granted to the user. When it reads through all the group entries, if the server finds any groups matching the requesting user, it stops all entry checking because it has the permissions for the matching entries.
3. If the application server does not find a match in the previous steps, it checks the following entries, in the following order:
· home cell
· other cell entries
If the application server finds a match between the requesting user and one of the cell entries, it stops checking ACL entries.
4. If the application server does not find a match in the previous steps, it checks the following entry:
· all other users
If the all other users entry does not exist, the application server denies all access to the object.
See ACL Checking and the Unauthenticated Mask and ACL Checking and the General Mask for information about how the mask entries are applied during the ACL checking procedure.