DTRHELP.HLB  —  ACL
       Every directory and object in the dictionary can have an access
       control list. An ACL generally consists of one or more ACL
       entries, although an ACL can be empty. Each entry in an access
       control list performs two functions:

       o  It identifies individual users or classes of users to whom the
          ACL entry applies.

       o  It specifies the access privileges of the user or class of
          users to whom the entry applies.

       An entry in the ACL of a dictionary object or directory has two
       parts:

       o  The user identification criteria

          See the subtopic Identification for more information.

       o  The privilege specification

          See the subtopic Specification for more information.

       For a list of access privileges, see the subtopic Access_
       Privileges.

       The DEFINEP command creates an ACL entry. The DELETEP command
       removes an ACL entry. The SHOWP command displays an ACL entry.
       The SHOW PRIVILEGE command displays your access privileges to
       a directory/dictionary or object. For more information, see the
       help for these commands.

1  –  Access Privileges CDO

       Privilege  Description

       C          Lets you create, modify, and delete access control list
       (CONTROL)  entries.
       D          Lets you delete and purge dictionary objects, as well
       (DELETE)   as empty dictionary directories.
       E          Lets you ready a domain for EXTEND access.
       (EXTEND)
       M (DTR_    Lets you ready a domain for READ and MODIFY access.
       MODIFY)
       R (READ)   Lets you ready a domain for READ access, display
                  dictionary definitions with a SHOW command, use the
                  EDIT command, and copy them into a command file with an
                  EXTRACT command.
       S (SHOW)   Lets you see the definition of a dictionary object and
                  the ACL of a dictionary or object. SHOW access to a
                  domain definition and its associated record definition
                  is necessary to define a data file and then to ready
                  the domain. SHOW access to a dictionary lets you show
                  the contents of the dictionary.
       U          Lets you change the definition of a dictionary object.
       (CHANGE)   On a dictionary, U lets you define new objects or
                  delete objects in the dictionary.
       W          Lets you ready a domain for WRITE access.
       (WRITE)

2  –  Access Privileges DMU

       Privilege  Description

       C          Lets you read, create, modify, and delete access
       (CONTROL)  control list entries. You cannot deny yourself CONTROL
                  privilege.
       D          Lets you delete dictionary objects, as well as
       (LOCAL_    directories and subdictionaries with no children, and
       DELETE)    to edit, replace, or recompile definitions stored in
                  the dictionary.
       E (DTR_    Lets you ready a domain for any type of access, to
       EXTEND_    access a table, or to invoke a procedure.
       /EXECUTE)
       F          Lets you create subdictionaries.
       (FORWARD)
       G          Lets you delete dictionary directories and
       (GLOBAL_   subdictionaries, including any children they may have,
       DELETE)    with a single command.
       H          Lets you add entries to history lists with the
       (HISTORY)  Dictionary Management Utility (DMU).
       M (DTR_    Lets you ready a domain for READ and MODIFY access.
       MODIFY)
       P (PASS_   Lets you use a dictionary directory, subdictionary, or
       THRU)      object in a path name. You cannot deny yourself PASS_
                  THRU privilege.
       R (DTR_    Lets you ready a domain for READ access, display
       READ)      dictionary definitions with a SHOW command, use the
                  EDIT command, and copy them into a command file with an
                  EXTRACT command.
       S (SEE)    Lets you see the definition of a dictionary object. SEE
                  access to a domain definition and its associated record
                  definition is necessary to define a data file and then
                  to ready the domain.
       U          Lets you update the definition of a dictionary object.
       (UPDATE)
       W (DTR_    Lets you ready a domain for WRITE access.
       WRITE)
       X          Lets you create children of dictionary directories and
       (EXTEND)   subdictionaries.

3  –  Identification

       The user identification criteria form the first part of an ACL
       entry. The user identification criteria determine the user or
       class of users to whom the entry applies. The dictionary compares
       the user identification criteria with the characteristics of the
       user's process and with any passwords appended to the given name
       of the object or directory.

       An ACL on a directory or object in the DMU format dictionary
       can identify you by your username, your UIC (User Identification
       Code), a password, your terminal number or job class.

       An ACL on a CDO format dictionary or object can identify you by
       your username, your UIC (User Identification Code), or your job
       class.

       In an ACL entry, you can specify one option from each available
       category. You can include one username, one UIC, one password
       (DMU only), and one terminal number (DMU only) or job class. You
       must include at least one user identification criterion per ACL
       entry.

3.1  –  Password

       You can also specify a password as an identification criterion
       in an ACL entry on a directory or object in the DMU format
       dictionary. If an ACL entry for a directory or object in the
       dictionary defines a password, the password can be specified
       as part of the given name of the directory or object. Using
       a password identifies the user or group of users who know the
       password.

3.1.1  –  Examples

       When you need the access privileges to a directory or object
       granted by an ACL entry containing a password, you can specify
       the password in two ways:

       o  You can enter the password, enclosed in parentheses, after the
          given name of the directory or object:

          -  With only the given name:

                     YACHTS;1(SAILOR)

          -  In a full dictionary path name:

              CDD$TOP.INVENTORY(SECRET).YACHTS;1(SAILOR)

       o  You can also enter an asterisk in parentheses after the given
          name of the directory or object. This asterisk in place of the
          password causes DEC DATATRIEVE to prompt you for the password.
          When you respond, DEC DATATRIEVE does not echo the characters
          on your terminal. This prompting protects your password and,
          as a result, your data and data definitions:

          -  In place of the password in parentheses, enter (_*):

              DTR> SHOWP YACHTS (_*)

          -  DEC DATATRIEVE responds with a prompt for the password:

              Enter password for YACHTS:

3.2  –  Terminal

       You can also identify users by their terminal line numbers
       (DMU format dictionary only) or their job class (either format
       dictionary):

       o  In an ACL entry on an object or directory in the DMU format
          dictionary you can identify users who work from a particular
          terminal line. You specify the terminal number in the format
          TTnn[:]. For example:

              TERMINAL = TTH6

       o  You can identify all users whose terminal lines are hard-wired
          to your local system. Use the keyword LOCAL:

              TERMINAL = LOCAL

       o  You can identify all users whose processes are running on
          anything other than a hard-wired line. By using the keyword
          NONLOCAL you can identify all processes using dial-up lines,
          running in batch mode, using DECnet and running as remote
          terminals, and using the Distributed Data Manipulation
          Facility (DDMF) to run DEC DATATRIEVE from a remote node in
          a network of Digital computers. For example:

              TERMINAL = NONLOCAL

       o  You can identify all batch processes by using the keyword
          BATCH:

              TERMINAL = BATCH

       o  You can identify all processes using DDMF to run DEC
          DATATRIEVE from a remote node in a network of Digital
          computers. Use the keyword NETWORK:

              TERMINAL = NETWORK

3.3  –  UIC

       The UIC (User Identification Code) is a 2-part number or
       text string that identifies a user and determines his or her
       relationship to other users on the system. The UIC determines the
       ownership of files and is assigned by your system manager. UICs
       can be either numeric or alphanumeric:

       o  A numeric UIC consists of an octal group number and an octal
          member number.

          You can use the asterisk (*) wildcard in place of the group
          number to identify all group numbers and in place of the
          member number group to identify all member numbers.

       o  An alphanumeric UIC is a text string consisting of a member
          name and, optionally, a group name.

          You can use the asterisk (*) wildcard in place of the member
          name in an alphanumeric UIC but not in place of the group
          name.

       The UIC is enclosed in square brackets or angle brackets. A comma
       separates the two parts of the UIC. The first part of the UIC
       identifies the group of users a person belongs to. Group members
       share the same first number or group name in their UICs. You can
       control access to files according to UIC group numbers or group
       names. The second part of the UIC identifies the individual user
       in a group.

3.3.1  –  Examples

       In an ACL entry, you can use three types of UIC to identify
       users:

       o  By specifying all the digits of both parts of the UIC, you
          can identify one or more users who log in with the same UIC
          associated with their process. For example:

              UIC = [240,240]

       o  By using an asterisk (_*) as a wildcard in place of the second
          part of the UIC, you can identify users who belong to the same
          group and share the first part of their UICs. For example,
          the following specification can identify users with UICs
          [240,101], [240,300], [240,544], [240,777]:

              UIC = [240,*]

       o  By using asterisks in place of both groups of digits in the
          UIC, you identify all users, regardless of their UICs:

              UIC = [*,*]

          You must include the comma and enclose the UIC specification
          in square brackets or angle brackets. If you specify no
          UIC for an ACL entry, the dictionary supplies [_*,_*] as a
          default.

3.4  –  Username

       Specifying a username in an ACL entry limits the entry to one
       user or to a group of users who log in with the same username.
       For example:

       USER = WEAVER

4  –  Specification

       The privilege specification is the second part of an Access
       Control List (ACL) entry. The privilege specification controls
       the access changes the user inherits from the parent of the
       object or directory to which the ACL belongs.

       The DMU format dictionary can make three types of changes to the
       user's list of inherited privileges:

       o  The GRANT clause can add any privileges not already acquired
          by the user and not banished previously.

       o  The DENY clause can remove any privileges the user had to the
          parent directory.

       o  The BANISH clause can deny a privilege to a directory or
          object. A privilege banished by the ACL of a directory can
          never be granted by any entry in the ACL of any descendant in
          that directory.

       The CDO format dictionary can either grant or deny privileges to
       dictionaries or objects:

       o  The GRANT clause can give any privilege. You must grant a
          right for the user to have that right. Any privilege not
          specifically granted is denied.

       o  The DENY clause can specifically deny any privilege. Since
          the user is denied all access rights not specifically granted,
          you don't have to specify this clause. If you specify only
          this clause, any privilege not denied will be granted. If you
          specify both GRANT and DENY, privileges will be granted and
          denied in the order specified and any privilege not listed
          will be denied.
Close Help