Every directory and object in the dictionary can have an access
control list. An ACL generally consists of one or more ACL
entries, although an ACL can be empty. Each entry in an access
control list performs two functions:
o It identifies individual users or classes of users to whom the
ACL entry applies.
o It specifies the access privileges of the user or class of
users to whom the entry applies.
An entry in the ACL of a dictionary object or directory has two
parts:
o The user identification criteria
See the subtopic Identification for more information.
o The privilege specification
See the subtopic Specification for more information.
For a list of access privileges, see the subtopic Access_
Privileges.
The DEFINEP command creates an ACL entry. The DELETEP command
removes an ACL entry. The SHOWP command displays an ACL entry.
The SHOW PRIVILEGE command displays your access privileges to
a directory/dictionary or object. For more information, see the
help for these commands.
1 – Access Privileges CDO
Privilege Description
C Lets you create, modify, and delete access control list
(CONTROL) entries.
D Lets you delete and purge dictionary objects, as well
(DELETE) as empty dictionary directories.
E Lets you ready a domain for EXTEND access.
(EXTEND)
M (DTR_ Lets you ready a domain for READ and MODIFY access.
MODIFY)
R (READ) Lets you ready a domain for READ access, display
dictionary definitions with a SHOW command, use the
EDIT command, and copy them into a command file with an
EXTRACT command.
S (SHOW) Lets you see the definition of a dictionary object and
the ACL of a dictionary or object. SHOW access to a
domain definition and its associated record definition
is necessary to define a data file and then to ready
the domain. SHOW access to a dictionary lets you show
the contents of the dictionary.
U Lets you change the definition of a dictionary object.
(CHANGE) On a dictionary, U lets you define new objects or
delete objects in the dictionary.
W Lets you ready a domain for WRITE access.
(WRITE)
2 – Access Privileges DMU
Privilege Description
C Lets you read, create, modify, and delete access
(CONTROL) control list entries. You cannot deny yourself CONTROL
privilege.
D Lets you delete dictionary objects, as well as
(LOCAL_ directories and subdictionaries with no children, and
DELETE) to edit, replace, or recompile definitions stored in
the dictionary.
E (DTR_ Lets you ready a domain for any type of access, to
EXTEND_ access a table, or to invoke a procedure.
/EXECUTE)
F Lets you create subdictionaries.
(FORWARD)
G Lets you delete dictionary directories and
(GLOBAL_ subdictionaries, including any children they may have,
DELETE) with a single command.
H Lets you add entries to history lists with the
(HISTORY) Dictionary Management Utility (DMU).
M (DTR_ Lets you ready a domain for READ and MODIFY access.
MODIFY)
P (PASS_ Lets you use a dictionary directory, subdictionary, or
THRU) object in a path name. You cannot deny yourself PASS_
THRU privilege.
R (DTR_ Lets you ready a domain for READ access, display
READ) dictionary definitions with a SHOW command, use the
EDIT command, and copy them into a command file with an
EXTRACT command.
S (SEE) Lets you see the definition of a dictionary object. SEE
access to a domain definition and its associated record
definition is necessary to define a data file and then
to ready the domain.
U Lets you update the definition of a dictionary object.
(UPDATE)
W (DTR_ Lets you ready a domain for WRITE access.
WRITE)
X Lets you create children of dictionary directories and
(EXTEND) subdictionaries.
3 – Identification
The user identification criteria form the first part of an ACL
entry. The user identification criteria determine the user or
class of users to whom the entry applies. The dictionary compares
the user identification criteria with the characteristics of the
user's process and with any passwords appended to the given name
of the object or directory.
An ACL on a directory or object in the DMU format dictionary
can identify you by your username, your UIC (User Identification
Code), a password, your terminal number or job class.
An ACL on a CDO format dictionary or object can identify you by
your username, your UIC (User Identification Code), or your job
class.
In an ACL entry, you can specify one option from each available
category. You can include one username, one UIC, one password
(DMU only), and one terminal number (DMU only) or job class. You
must include at least one user identification criterion per ACL
entry.
3.1 – Password
You can also specify a password as an identification criterion
in an ACL entry on a directory or object in the DMU format
dictionary. If an ACL entry for a directory or object in the
dictionary defines a password, the password can be specified
as part of the given name of the directory or object. Using
a password identifies the user or group of users who know the
password.
3.1.1 – Examples
When you need the access privileges to a directory or object
granted by an ACL entry containing a password, you can specify
the password in two ways:
o You can enter the password, enclosed in parentheses, after the
given name of the directory or object:
- With only the given name:
YACHTS;1(SAILOR)
- In a full dictionary path name:
CDD$TOP.INVENTORY(SECRET).YACHTS;1(SAILOR)
o You can also enter an asterisk in parentheses after the given
name of the directory or object. This asterisk in place of the
password causes DEC DATATRIEVE to prompt you for the password.
When you respond, DEC DATATRIEVE does not echo the characters
on your terminal. This prompting protects your password and,
as a result, your data and data definitions:
- In place of the password in parentheses, enter (_*):
DTR> SHOWP YACHTS (_*)
- DEC DATATRIEVE responds with a prompt for the password:
Enter password for YACHTS:
3.2 – Terminal
You can also identify users by their terminal line numbers
(DMU format dictionary only) or their job class (either format
dictionary):
o In an ACL entry on an object or directory in the DMU format
dictionary you can identify users who work from a particular
terminal line. You specify the terminal number in the format
TTnn[:]. For example:
TERMINAL = TTH6
o You can identify all users whose terminal lines are hard-wired
to your local system. Use the keyword LOCAL:
TERMINAL = LOCAL
o You can identify all users whose processes are running on
anything other than a hard-wired line. By using the keyword
NONLOCAL you can identify all processes using dial-up lines,
running in batch mode, using DECnet and running as remote
terminals, and using the Distributed Data Manipulation
Facility (DDMF) to run DEC DATATRIEVE from a remote node in
a network of Digital computers. For example:
TERMINAL = NONLOCAL
o You can identify all batch processes by using the keyword
BATCH:
TERMINAL = BATCH
o You can identify all processes using DDMF to run DEC
DATATRIEVE from a remote node in a network of Digital
computers. Use the keyword NETWORK:
TERMINAL = NETWORK
3.3 – UIC
The UIC (User Identification Code) is a 2-part number or
text string that identifies a user and determines his or her
relationship to other users on the system. The UIC determines the
ownership of files and is assigned by your system manager. UICs
can be either numeric or alphanumeric:
o A numeric UIC consists of an octal group number and an octal
member number.
You can use the asterisk (*) wildcard in place of the group
number to identify all group numbers and in place of the
member number group to identify all member numbers.
o An alphanumeric UIC is a text string consisting of a member
name and, optionally, a group name.
You can use the asterisk (*) wildcard in place of the member
name in an alphanumeric UIC but not in place of the group
name.
The UIC is enclosed in square brackets or angle brackets. A comma
separates the two parts of the UIC. The first part of the UIC
identifies the group of users a person belongs to. Group members
share the same first number or group name in their UICs. You can
control access to files according to UIC group numbers or group
names. The second part of the UIC identifies the individual user
in a group.
3.3.1 – Examples
In an ACL entry, you can use three types of UIC to identify
users:
o By specifying all the digits of both parts of the UIC, you
can identify one or more users who log in with the same UIC
associated with their process. For example:
UIC = [240,240]
o By using an asterisk (_*) as a wildcard in place of the second
part of the UIC, you can identify users who belong to the same
group and share the first part of their UICs. For example,
the following specification can identify users with UICs
[240,101], [240,300], [240,544], [240,777]:
UIC = [240,*]
o By using asterisks in place of both groups of digits in the
UIC, you identify all users, regardless of their UICs:
UIC = [*,*]
You must include the comma and enclose the UIC specification
in square brackets or angle brackets. If you specify no
UIC for an ACL entry, the dictionary supplies [_*,_*] as a
default.
3.4 – Username
Specifying a username in an ACL entry limits the entry to one
user or to a group of users who log in with the same username.
For example:
USER = WEAVER
4 – Specification
The privilege specification is the second part of an Access
Control List (ACL) entry. The privilege specification controls
the access changes the user inherits from the parent of the
object or directory to which the ACL belongs.
The DMU format dictionary can make three types of changes to the
user's list of inherited privileges:
o The GRANT clause can add any privileges not already acquired
by the user and not banished previously.
o The DENY clause can remove any privileges the user had to the
parent directory.
o The BANISH clause can deny a privilege to a directory or
object. A privilege banished by the ACL of a directory can
never be granted by any entry in the ACL of any descendant in
that directory.
The CDO format dictionary can either grant or deny privileges to
dictionaries or objects:
o The GRANT clause can give any privilege. You must grant a
right for the user to have that right. Any privilege not
specifically granted is denied.
o The DENY clause can specifically deny any privilege. Since
the user is denied all access rights not specifically granted,
you don't have to specify this clause. If you specify only
this clause, any privilege not denied will be granted. If you
specify both GRANT and DENY, privileges will be granted and
denied in the order specified and any privilege not listed
will be denied.