DCE and ACL guide

1. Link to IBM document

http://www-4.ibm.com/software/network/dce/library/publications/dceaix_22/a3u2q/A3U2QM03.HTM#ToC

2. Terminology

DCE : Distributed Computing Environment
ACL : Access Control List
CDS : Cell Directory Service

3. ACL Types Supported by CDS
http://www-4.ibm.com/software/network/dce/library/publications/dceaix_22/a3u2q/A3U2Q112.HTM#HDRACCN003

Object ACL
Initial object creation ACL
Initial container creation ACL
In terms of file system, object = file, container=directory.

4. DCE permissions supported by CDS
http://www-4.ibm.com/software/network/dce/library/publications/dceaix_22/a3u2q/A3U2QM03.HTM#ToC_232
    read (r) :   look up a name and view the attribute values associated with it.
    Write(w): Change the modifiable attributes associated with a name, except its ACLs.
    Insert(i) : create new entry in a directory ( for directory entry only)
    Delete(d): delete a name
    Test(t) : Allows to test whether an attribute of a name has a particular value
    Control(a): Allow to modify ACL entries.
    Administration(a) : Allow to issue CDS commands that control the replication of directories
    Delete permission--Allows a principal to delete a name from the namespace. ( for directory entry only)

5. DCE control commands
http://www-4.ibm.com/software/network/dce/library/publications/dceaix_22/a3u2q/A3U2Q117.HTM#HDRACCN008

6. The mask_obj Mask and ACL Checking
http://www-4.ibm.com/software/network/dce/library/publications/dceaix_22/a3u2q/A3U2Q193.HTM#IDX2557

Permission bits not granted by mask_obj is not granted despite the setting of permision bits of the object.

Before the ACL manager grants any permissions derived from checking the ACL entries, it filters the entry permissions through the mask_obj mask. Only those permissions named in the ACL entry and in the mask are granted. For example, if an ACL entry grants rwx permissions and the mask_obj entry specifies only r and w permission, only r and w are granted. The x permission named in the ACL entry is ignored.