ACL Entry Types for Users and Groups

An ACL's default cell names the cell with respect to which the ACL's entries are defined. A user or group named in an ACL entry is assumed to be from the default cell unless the entry explicitly names a different cell. The default cell is not necessarily the cell in which the ACL exists. For example, an object in cell abc.com can have an ACL whose default cell is def.com. With respect to ACLs, a local user is one whose local cell is the same as the default cell of an ACL; conversely, a foreign user is one whose default cell is different from the default cell of an ACL.

The table below lists the different types of ACL entries, their use of entry keys, and the users and groups to which they apply. As necessary, the table provides information about how an ACL's default cell affects the interpretation of the entry.

ACL Entry Types for Users and Groups

Type	Key	Applies to
user_obj	None	The user who owns the object. The user is from the default cell.
user	username	The user username from the default cell.
foreign_user	cell_name/username	The user username from the foreign cell cell_name.
group_obj	None	Members of the group that owns the object. The group is from the default cell.
group	group_name	Members of the group group_name from the default cell.
foreign_group	cell_name/group_name	Members of the group group_name from the foreign cell cell_name.
other_obj	None	Users from the default cell who do not match any of the preceding entries.
foreign_other	cell_name	Users from the foreign cell cell_name who do not match any of the preceding entries.
any_other	None	Users from any foreign cell who do not match any of the preceding entries.

The default cell of an ACL, not the cell in which the ACL resides, determines the cell with respect to which the following entry types are defined:

· user_obj

· user

· group_obj

· group

· other_obj

For instance, a user entry specifies the permissions for a user whose local cell is the same as the default cell of an ACL. Whereas the entry types in the previous list refer to users and groups whose local cell is the same as an ACL's default cell, the foreign_user, foreign_group, foreign_other, and any_other entry types refer to users and groups whose local cells are different from an ACL's default cell. For instance, a foreign_user entry specifies the permissions for a user whose local cell is different from the default cell of an ACL. (Note that foreign_ entries can exist for users or groups from the default cell. See The Default Cell and ACL Inheritance for more information about an ACL's default cell, how it is listed, and how it is set.)

Some examples of ACL entries for users and groups follow:

{user_obj permissions}
Defines the permissions for the user who owns the object. The user is from the default cell.

{user frost permissions}
Defines the permissions for the user named frost from the default cell.

{group writers permissions}
Defines the permissions for the group named writers from the default cell.

{foreign_user /.../abc.com/wvh permissions}
Defines the permissions for the user named wvh from the foreign cell named abc.com.

{foreign_group /.../abc.com/writers permissions}
Defines the permissions for the group named writers from the foreign cell named abc.com.

The following rules govern the appearance of entries for users and groups on the ACLs of DCE LFS objects:

· The user_obj, group_obj, and other_obj entries must exist; all other entry types for users and groups are always optional.

· Only one entry of the same specificity (the same entry type and, if applicable, the same key) can exist on an ACL; for example, only one user entry can exist for a given username from the default cell.

Note: The first rule applies only to ACLs on DCE LFS objects, not to ACLs on objects associated with other DCE components. DCE LFS enforces these restrictions in an effort to track Draft 12 of the POSIX standard for ACLs on file and directory objects. (POSIX is a prominent collection of standards specifications for the computer industry.)