Every directory and object in the dictionary can have an access control list. An ACL generally consists of one or more ACL entries, although an ACL can be empty. Each entry in an access control list performs two functions: o It identifies individual users or classes of users to whom the ACL entry applies. o It specifies the access privileges of the user or class of users to whom the entry applies. An entry in the ACL of a dictionary object or directory has two parts: o The user identification criteria See the subtopic Identification for more information. o The privilege specification See the subtopic Specification for more information. For a list of access privileges, see the subtopic Access_ Privileges. The DEFINEP command creates an ACL entry. The DELETEP command removes an ACL entry. The SHOWP command displays an ACL entry. The SHOW PRIVILEGE command displays your access privileges to a directory/dictionary or object. For more information, see the help for these commands.
1 – Access Privileges CDO
Privilege Description C Lets you create, modify, and delete access control list (CONTROL) entries. D Lets you delete and purge dictionary objects, as well (DELETE) as empty dictionary directories. E Lets you ready a domain for EXTEND access. (EXTEND) M (DTR_ Lets you ready a domain for READ and MODIFY access. MODIFY) R (READ) Lets you ready a domain for READ access, display dictionary definitions with a SHOW command, use the EDIT command, and copy them into a command file with an EXTRACT command. S (SHOW) Lets you see the definition of a dictionary object and the ACL of a dictionary or object. SHOW access to a domain definition and its associated record definition is necessary to define a data file and then to ready the domain. SHOW access to a dictionary lets you show the contents of the dictionary. U Lets you change the definition of a dictionary object. (CHANGE) On a dictionary, U lets you define new objects or delete objects in the dictionary. W Lets you ready a domain for WRITE access. (WRITE)
2 – Access Privileges DMU
Privilege Description C Lets you read, create, modify, and delete access (CONTROL) control list entries. You cannot deny yourself CONTROL privilege. D Lets you delete dictionary objects, as well as (LOCAL_ directories and subdictionaries with no children, and DELETE) to edit, replace, or recompile definitions stored in the dictionary. E (DTR_ Lets you ready a domain for any type of access, to EXTEND_ access a table, or to invoke a procedure. /EXECUTE) F Lets you create subdictionaries. (FORWARD) G Lets you delete dictionary directories and (GLOBAL_ subdictionaries, including any children they may have, DELETE) with a single command. H Lets you add entries to history lists with the (HISTORY) Dictionary Management Utility (DMU). M (DTR_ Lets you ready a domain for READ and MODIFY access. MODIFY) P (PASS_ Lets you use a dictionary directory, subdictionary, or THRU) object in a path name. You cannot deny yourself PASS_ THRU privilege. R (DTR_ Lets you ready a domain for READ access, display READ) dictionary definitions with a SHOW command, use the EDIT command, and copy them into a command file with an EXTRACT command. S (SEE) Lets you see the definition of a dictionary object. SEE access to a domain definition and its associated record definition is necessary to define a data file and then to ready the domain. U Lets you update the definition of a dictionary object. (UPDATE) W (DTR_ Lets you ready a domain for WRITE access. WRITE) X Lets you create children of dictionary directories and (EXTEND) subdictionaries.
3 – Identification
The user identification criteria form the first part of an ACL entry. The user identification criteria determine the user or class of users to whom the entry applies. The dictionary compares the user identification criteria with the characteristics of the user's process and with any passwords appended to the given name of the object or directory. An ACL on a directory or object in the DMU format dictionary can identify you by your username, your UIC (User Identification Code), a password, your terminal number or job class. An ACL on a CDO format dictionary or object can identify you by your username, your UIC (User Identification Code), or your job class. In an ACL entry, you can specify one option from each available category. You can include one username, one UIC, one password (DMU only), and one terminal number (DMU only) or job class. You must include at least one user identification criterion per ACL entry.
3.1 – Password
You can also specify a password as an identification criterion in an ACL entry on a directory or object in the DMU format dictionary. If an ACL entry for a directory or object in the dictionary defines a password, the password can be specified as part of the given name of the directory or object. Using a password identifies the user or group of users who know the password.
3.1.1 – Examples
When you need the access privileges to a directory or object granted by an ACL entry containing a password, you can specify the password in two ways: o You can enter the password, enclosed in parentheses, after the given name of the directory or object: - With only the given name: YACHTS;1(SAILOR) - In a full dictionary path name: CDD$TOP.INVENTORY(SECRET).YACHTS;1(SAILOR) o You can also enter an asterisk in parentheses after the given name of the directory or object. This asterisk in place of the password causes DEC DATATRIEVE to prompt you for the password. When you respond, DEC DATATRIEVE does not echo the characters on your terminal. This prompting protects your password and, as a result, your data and data definitions: - In place of the password in parentheses, enter (_*): DTR> SHOWP YACHTS (_*) - DEC DATATRIEVE responds with a prompt for the password: Enter password for YACHTS:
3.2 – Terminal
You can also identify users by their terminal line numbers (DMU format dictionary only) or their job class (either format dictionary): o In an ACL entry on an object or directory in the DMU format dictionary you can identify users who work from a particular terminal line. You specify the terminal number in the format TTnn[:]. For example: TERMINAL = TTH6 o You can identify all users whose terminal lines are hard-wired to your local system. Use the keyword LOCAL: TERMINAL = LOCAL o You can identify all users whose processes are running on anything other than a hard-wired line. By using the keyword NONLOCAL you can identify all processes using dial-up lines, running in batch mode, using DECnet and running as remote terminals, and using the Distributed Data Manipulation Facility (DDMF) to run DEC DATATRIEVE from a remote node in a network of Digital computers. For example: TERMINAL = NONLOCAL o You can identify all batch processes by using the keyword BATCH: TERMINAL = BATCH o You can identify all processes using DDMF to run DEC DATATRIEVE from a remote node in a network of Digital computers. Use the keyword NETWORK: TERMINAL = NETWORK
3.3 – UIC
The UIC (User Identification Code) is a 2-part number or text string that identifies a user and determines his or her relationship to other users on the system. The UIC determines the ownership of files and is assigned by your system manager. UICs can be either numeric or alphanumeric: o A numeric UIC consists of an octal group number and an octal member number. You can use the asterisk (*) wildcard in place of the group number to identify all group numbers and in place of the member number group to identify all member numbers. o An alphanumeric UIC is a text string consisting of a member name and, optionally, a group name. You can use the asterisk (*) wildcard in place of the member name in an alphanumeric UIC but not in place of the group name. The UIC is enclosed in square brackets or angle brackets. A comma separates the two parts of the UIC. The first part of the UIC identifies the group of users a person belongs to. Group members share the same first number or group name in their UICs. You can control access to files according to UIC group numbers or group names. The second part of the UIC identifies the individual user in a group.
3.3.1 – Examples
In an ACL entry, you can use three types of UIC to identify users: o By specifying all the digits of both parts of the UIC, you can identify one or more users who log in with the same UIC associated with their process. For example: UIC = [240,240] o By using an asterisk (_*) as a wildcard in place of the second part of the UIC, you can identify users who belong to the same group and share the first part of their UICs. For example, the following specification can identify users with UICs [240,101], [240,300], [240,544], [240,777]: UIC = [240,*] o By using asterisks in place of both groups of digits in the UIC, you identify all users, regardless of their UICs: UIC = [*,*] You must include the comma and enclose the UIC specification in square brackets or angle brackets. If you specify no UIC for an ACL entry, the dictionary supplies [_*,_*] as a default.
3.4 – Username
Specifying a username in an ACL entry limits the entry to one user or to a group of users who log in with the same username. For example: USER = WEAVER
4 – Specification
The privilege specification is the second part of an Access Control List (ACL) entry. The privilege specification controls the access changes the user inherits from the parent of the object or directory to which the ACL belongs. The DMU format dictionary can make three types of changes to the user's list of inherited privileges: o The GRANT clause can add any privileges not already acquired by the user and not banished previously. o The DENY clause can remove any privileges the user had to the parent directory. o The BANISH clause can deny a privilege to a directory or object. A privilege banished by the ACL of a directory can never be granted by any entry in the ACL of any descendant in that directory. The CDO format dictionary can either grant or deny privileges to dictionaries or objects: o The GRANT clause can give any privilege. You must grant a right for the user to have that right. Any privilege not specifically granted is denied. o The DENY clause can specifically deny any privilege. Since the user is denied all access rights not specifically granted, you don't have to specify this clause. If you specify only this clause, any privilege not denied will be granted. If you specify both GRANT and DENY, privileges will be granted and denied in the order specified and any privilege not listed will be denied.