unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 acl(1m)		  Open Software Foundation		     acl(1m)




 NAME
      acl - A dcecp object that manages DCE access control lists

 SYNOPSIS
      acl check acl_name_list [-entry] [-type manager_type_name]

      acl delete acl_name_list [-ic | -io | -entry] [-type manager_type_name]
      [-local]

      acl help [operation | -verbose]

      acl modify acl_name_list [-ic | -io | -entry] [-type manager_type_name]
      [-cell new_cell_name]
      {-add acl_entry_list_with_permissions [-mask {calc | nocalc}] |
      -change acl_entry_list_with_permissions [-mask {calc | nocalc}] |
      -remove acl_entry_list_without_permissions [-uuid] |
      -purge}
      [-local]

      acl operations

      acl permissions acl_name_list [-ic | -io | -entry] [-type
      manager_type_name]
      [-local]

      acl replace acl_name_list [-ic | -io | -entry] [-type
      manager_type_name]
      -acl acl_entry_list [-cell new_default_cellname]
      [-local]

      acl show acl_name_list [-ic | -io | -entry] [-type manager_type_name]
      [-cell | -managers] [-local]


 ARGUMENTS
      acl_name_list
		A list of one or more objects whose ACLs are to be acted on.
		You can identify objects by using the object's fully
		qualified names, for example, /.:/hosts/gumby.

		You can also use a list of string bindings with residual
		names appended. The residual name indicates whether the
		object is a principal, group, or organization by supplying
		its principal, group, or organization name. There are four
		possible formats you can use to specify a string binding.

		In string syntax, you can use


		{uuid@prot_seq:net_addr residual_name}




 Hewlett-Packard Company	    - 1 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




		Another allowable string syntax is

		{uuid@prot_seq:net_addr[endpoint] residual_name}

		In Tcl syntax, you can use

		{uuid prot_seq net_addr residual_name}

		Another allowable Tcl syntax is

		{uuid prot_seq net_addr endpoint residual_name}


      operation The name of the acl operation for which to display help
		information.


 DESCRIPTION
      The acl object represents an access control list (ACL), which may
      exist on any object such as a server, name service entry, container
      (directory), or file.

      ACLs consist of ACL entries.  ACL entries are visible only as members
      of ACLs.	There is no object that represents ACL entries, only the acl
      object representing an entire ACL.  Most of the acl operations deal
      directly with the ACL.  See DATA STRUCTURES for a description of the
      syntax of ACLs and ACL entries.  An ACL has one attribute, called
      cell, that represents the default cell of the ACL.

      In most cases, the name of an object also specifies the name of the
      associated ACL to manipulate.  However, some objects have more than
      one ACL, and some names can refer to more than one object.  These
      ambiguities are resolved by using various options on the command line.

      An object can have more than one ACL.  For example, container
      objects-such as Cell Directory Service (CDS) directories and
      directories in the registry-have three ACLs: one ACL controls access
      to the container object itself, a second ACL specifies the default ACL
      on new objects added to the container (the Initial Object ACL), and a
      third ACL specifies the default ACL on new containers added to the
      container (the Initial Container ACL).  By default, the acl commands
      operate on the ACL of the container object.  Use the -ic option to
      operate on the Initial Container ACL.  Use the -io option to operate
      on the Initial Object ACL. Simple objects (those that are not
      container objects) do not have Initial Container or Initial Object
      ACLs.

      Some servers that have ACLs also store their network location
      information in a server entry in CDS.  The server entry has the same
      name as the server itself and may also have an attached ACL.  Use the
      -entry option to operate on the server entry ACL in CDS rather than



 Hewlett-Packard Company	    - 2 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      the server's ACL.

      All dced objects have ACLs.  When the dced on the local machine is in
      partial service mode, you must use the -local option to access dced
      object ACLs.  To access dced object ACLs, specify only the residual
      portion of the object name to the acl command.  For example, use
      hostdata, not /.:/hosts/gumby/config/hostdata.

      Some DCE objects have more than one purpose.  For instance, a registry
      object can represent a principal and it can also act as a directory (a
      container).  An example is a principal name that identifies another
      cell (for instance, /.../comp.com) with which you want to establish
      authenticated operation.	In this case, the cell maintains a principal
      name /.:/comp.com.  The registry object for this principal name is as
      follows:

      /.:/sec/principal/comp.com


      Assume the cell also has a hierarchical (subordinate) cell named
      /.../comp.com/test_cell.	The cell maintains another principal name
      /.:/comp.com/test_cell.  The registry object for this principal name
      is as follows:

      /.:/sec/principal/comp.com/test_cell


      Consequently, the registry object /.:/sec/principal/comp.com also acts
      as a directory because it contains the hierarchical cell name
      /.:/sec/principal/comp.com/test_cell.  The ACL Manager that operates
      on registry objects differs from the ACL Manager that operates on
      registry directories.  For instance, the latter ACL Manager has an i
      (insert) permission bit that controls who can add new objects to the
      directory.  Consequently, most acl commands provide a -type option
      that lets you specify the appropriate ACL Manager when operating on
      registry objects that are also directories.  You can list the ACL
      Managers available for registry objects by using the acl show
      -managers command.

 DATA STRUCTURES
    ACL Entry Syntax
      An ACL entry has the following syntax:

      type[:key]:permissions


      where:


      type	Identifies the role of the ACL entry.




 Hewlett-Packard Company	    - 3 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      key	Identifies the specific principal or group to whom the entry
		applies.  For an entry type of extended, key contains the
		ACL data.

      permissions
		The ACL permissions.


      The syntax of an ACL entry is a list of two or three elements.  The
      first element is the type, the optional second element is the key, and
      the last element is the set of permission bits.  The permission bits
      are represented by a single character if the permission is granted and
      by a - (dash) if it is not.  An ACL is a list of ACL entries.  An
      example of an ACL is as follows:

      {unauthenticated -r-----}
      {user_obj crwx---}
      {user britten crwx---}
      {user mahler -rwx---}
      {foreign_user /.../C=US/O=OSF/OU=dce/pro/bach crwxidt}
      {group_obj -rwx---}
      {group dds -rwx---}
      {any_other -r-----}
      {extended c417faf8-8340-11c9-ace3-08001e5559bb.a.b.c.a1.4.0a0b0c0d -rwx---}


      On output the above syntax is used, with one addition.  If masking
      produces ineffective bits in an ACL entry, the entry has two
      additional elements.  The first is the identifier effective, and the
      second is the set of effective permissions.  These elements are added
      only for those ACL entries that have ineffective bits, as seen in the
      following example:

      {mask_obj -r-----}
      {user_obj crwx---}
      {user britten crwx--- effective -r-----}


      On input, do not include the identifier effective or the effective
      permissions.  You can enter permissions in any order, omitting the -
      (dash) for permissions not granted.  For example, the above ACL could
      be entered as:

      {mask_obj r}
      {user_obj crwx}
      {user britten wcrx}


    Defined ACL Entry Types
      user_obj	Permissions for the object's real or effective owner.




 Hewlett-Packard Company	    - 4 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      group_obj Permissions for the object's real or effective owning group.

      other_obj Permissions for others authenticated in the local cell who
		are not otherwise named by a more specific entry type.

      user	Permissions for a specific authenticated principal user in
		the ACL's cell.	 This type of ACL entry must include a key
		that identifies the specific principal.

      group	Permissions for a specific group in the ACL's cell. This
		type of ACL entry must include a key that identifies the
		specific group.

      foreign_user
		Permissions for a specific, authenticated user in a foreign
		cell.  This type of ACL entry must include a key that
		identifies the specific principal and the principal's cell.

      foreign_group
		Permissions for a specific group in a foreign cell.  This
		type of ACL entry must include a key that identifies the
		specific group and the group's cell.

      foreign_other
		Permissions for all authenticated principals in a specific
		foreign cell, unless those principals are specifically named
		in an ACL entry of type foreign_user or are members in a
		group named in an entry of type foreign_group. This type of
		ACL entry must include a key that identifies the specific
		foreign cell.

      any_other Permissions for all authenticated principals unless those
		principals match a more specific entry in the ACL.

      mask_obj	Permissions for the object mask that is applied to all entry
		types except user_obj, other_obj, and unauthenticated.

      unauthenticated
		Maximum permissions applied when the accessor does not pass
		authentication procedures.  This entry is used for
		principals that have failed authentication due to bad keys,
		principals who are entirely outside of any authentication
		cell, and principals who choose not to use authenticated
		access. Permissions granted to an unauthenticated principal
		are masked with this entry, if it exists.  If this entry
		does not exist, access to unauthenticated principals is
		always denied.

      extended	A special entry that allows client applications running at
		earlier DCE versions to copy ACLs to and from ACL Managers
		running at the current DCE version without losing any data.



 Hewlett-Packard Company	    - 5 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




		The extended entry allows the application running at the
		lower version to obtain a printable form of the ACL. The
		extended ACL entry has the following form:

		extended:uuid.ndr.ndr.ndr.ndr.number_of_byte.data

		where:


		uuid	  Identifies the type extended ACL entry. (This UUID
			  can identify one of the ACL entry types described
			  here or an as-yet-undefined ACL entry type.)

		ndr	  Up to four network data representation (NDR)
			  format labels (in hexadecimal format and separated
			  by periods) that identify the encoding of data.

		number_of_bytes
			  A decimal number that specifies the total number
			  of bytes in data.

		data	  The ACL data in hexadecimal form.  (Each byte of
			  ACL data is two hexadecimal digits.) The ACL data
			  includes all of the ACL entry specifications
			  except the permissions (described later) that are
			  entered separately.  The data is not interpreted;
			  it is assumed that the ACL Manager to which the
			  data is being passed can understand that data.


      user_obj_delegate
		Delegated permissions for the object's real or effective
		owner.

      group_obj_delegate
		Delegated permissions for the object's real or effective
		group.

      other_obj_delegate
		Delegated permissions for others in the local cell who are
		not otherwise named by a more specific entry type.

      user_delegate
		Delegated permissions for a specific principal user in the
		ACL's cell.  This type of ACL entry must include a key that
		identifies the specific principal.

      group_delegate
		Delegated permissions for a specific group in the ACL's
		cell. This type of ACL entry must include a key that
		identifies the specific group.



 Hewlett-Packard Company	    - 6 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      foreign_user_delegate
		Delegated permissions for a specific, authenticated user in
		a foreign cell.	 This type of ACL entry must include a key
		that identifies the specific principal and the principal's
		cell.

      foreign_group_delegate
		Delegated permissions for a specific, authenticated group in
		a foreign cell.	 This type of ACL entry must include a key
		that identifies the specific group and the group's cell.

      foreign_other_delegate
		Delegated permissions for all authenticated principals in a
		specific foreign cell, unless those principals are
		specifically named in an ACL entry of type foreign_user or
		foreign_user_delegate or are members in a group named in an
		entry of type foreign_group or foreign_group_delegate.	This
		type of ACL entry must include a key that identifies the
		specific foreign cell.

      any_other_delegate
		Delegated permissions for all authenticated principals
		unless those principals match a more specific entry in the
		ACL.


    Key
      The key identifier (principal, group name, or cell) specifies the
      principal or group to which the ACL entry applies.  For entries of
      entry type extended, key is the data passed from one ACL Manager to
      another.	In some cases, such as when a registry object no longer
      exists but an ACL entry still contains a reference to that object, key
      can be represented by a UUID.  A key is required for the following
      types of ACL entries:


      user	Requires a principal name only.

      group	Requires a group name only.

      foreign_user
		Requires a fully qualified cell name in addition to the
		principal name.

      foreign_group
		Requires a fully qualified cell name in addition to the
		group name.

      foreign_other
		Requires a fully qualified cell name.




 Hewlett-Packard Company	    - 7 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      foreign_user_delegate
		Requires a fully qualified cell name, the principal name,
		and a key that identifies the principal and the principal's
		cell.

      foreign_group_delegate
		Requires a fully qualified cell name, the group name, and a
		key that identifies the group and the group's cell.


    Permissions
      The permissions argument specifies the set of permissions that defines
      the access rights conferred by the entry.	 Since each ACL Manager
      defines the permission tokens and meanings appropriate for the objects
      it controls, the actual tokens and their meanings vary.  For example
      the Distributed File Service (DFS), the Directory Service, and the
      Security Service each implement a separate ACL Manager, and each can
      use a different set of tokens and permissions.  Use the permissions
      operation to display the currently available tokens and their
      meanings.	 See the documentation for the DCE component you are using
      to obtain a more detailed description of its specific permissions.

 ATTRIBUTES
      cell default_cellname
		Represents the default cell of the ACL.	 Manipulation of
		this attribute is possible only through the modify and show
		operations.


      See the OSF DCE Administration Guide for more information about ACL
      attributes.

 OPERATIONS
    acl check
      Returns the permissions granted by the ACL to the principal entering
      the command.  The syntax is as follows:

      acl check acl_name_list [-entry] [-type manager_type_name]


      Options

      -entry	Specifies that the command is to operate on the ACL of the
		namespace entry of the named object.

      -type manager_type_name
		Specifies that the command uses a particular ACL Manager.
		This option is needed only for objects that have more than
		one purpose, such as for principal names that also act as
		directories.




 Hewlett-Packard Company	    - 8 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      The check operation returns the permissions granted in the specified
      object's ACL to the principal that invoked the command.  The argument
      is a list of names of object's whose ACLs are to be operated on.	If
      you specify no options, the permissions from the ACL for the object
      named by the operation are returned.

      Privileges Required

      The permissions required are defined by the object's ACL Manager. Use
      the permissions operation to display the currently available tokens
      and their meanings.  See the documentation for the DCE component you
      are using to obtain a more detailed description of its specific
      permissions.

      Examples

      dcecp> acl check {006f859c-ed3d-1d57-a383-0000c0239a70@ncacn_ip_tcp:130.105.5.45 \
      > principal/aaa}
      rwdtcia
      dcecp>

      dcecp> acl check /.:/hosts
      rwdtcia
      dcecp>


    acl delete
      Deletes all ACL entries from the object, except the user_obj entry, if
      it exists.  The syntax is as follows:

      acl delete acl_name_list [-ic | -io | -entry] [-type
      manager_type_name]
      [-local]


      Options

      -ic	Specifies that the command is to operate on the Initial
		Container ACL of the named object.

      -io	Specifies that the command is to operate on the Initial
		Object ACL of the named object.

      -entry	Specifies that the command is to operate on the ACL of the
		namespace entry of the object.

      -type manager_type_name
		Specifies that the command uses a particular ACL Manager.
		This option is needed only for objects that have more than
		one purpose, such as for principal names that also act as
		directories.



 Hewlett-Packard Company	    - 9 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      -local	Specifies that the command is to operate on the ACL of a
		dced object while the dced on the local machine is in
		partial service mode.


      The delete operation removes all ACL entries from the object, except
      the user_obj entry, if it exists.	 Note that if you use delete on an
      object whose ACL does not contain a user_obj ACL entry (either because
      the object's ACL Managers do not support user_obj entries or because
      the ACL is empty), the command displays a "bad syntax" error.

      The argument is a list of names of objects whose ACLs are to be
      operated on.  This operation returns an empty string on success.

      Privileges Required

      The permissions required are defined by the object's ACL Manager. Use
      the permissions operation to display the currently available tokens
      and their meanings.  See the documentation for the DCE component you
      are using to obtain a more detailed description of its specific
      permissions.

      Examples

      dcecp> acl delete {/.:/hosts/oddball/gumby /.:/pokey}
      dcecp>


    acl help
      Returns help information about the acl object and its operations.	 The
      syntax is as follows:

      acl help [operation | -verbose]


      Options


      -verbose	Displays information about the acl object.


      Used without an argument or option, the acl help command returns brief
      information about each acl operation. The optional operation argument
      is the name of an operation about which you want detailed information.
      Alternatively, you can use the -verbose option for more detailed
      information about the acl object itself.

      Privileges Required

      No special privileges are needed to use the acl help command.




 Hewlett-Packard Company	   - 10 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      Examples

      dcecp> acl help
      check		  Returns ACL permissions of invoker.
      delete		  Deletes all ACL entries except 'user_obj' if it exists.
      modify		  Adds, removes, or changes ACL entries and attributes.
      permissions	  Returns permissions associated with an object.
      replace		  Replaces entire ACL with new ACL entries and attributes.
      show		  Returns ACL entries or attributes on an object.
      help		  Prints a summary of command-line options.
      operations	  Returns a list of the valid operations for this command.
      dcecp>


    acl modify
      Changes attributes and entries of ACLs.  The syntax is as follows:

      acl modify acl_name_list [-ic | -io | -entry] [-type
      manager_type_name]
      [-cell new_cell_name]
      {-add acl_entry_list_with_permissions [-mask {calc | nocalc}] |
      -change acl_entry_list_with_permissions [-mask {calc | nocalc}] |
      -remove acl_entry_list_without_permissions [-uuid] |
      -purge}
      [-local]


      Options


      -cell new_cell_name
		Changes the value of the cell attribute by specifying the
		new default cell.  It must be one value, not a list. The -
		cell option is always applied before the other options.
		Note that changing the default cell of an ACL that has user
		or group ACL entries, or their delegate counterparts, can be
		dangerous.  The principal and groups mentioned in these ACL
		entries must be in the default cell. If the default cell
		changes, these ACL entries must change as well.

      -add acl_entry_list_with_permissions
		Adds the ACL entries to the ACL.  The value of this option
		is a list of ACL entries with permissions filled in.  You
		can use the -mask option to force or prevent mask
		recalculation.

      -change acl_entry_list_with_permissions
		Changes existing ACL entries in the ACL.  The value of this
		option is a list of ACL entries with permissions filled in.
		The permissions are the new permissions placed on the
		specified ACL entries.	The ACL entries must exist in the



 Hewlett-Packard Company	   - 11 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




		ACL or an error occurs.	 You can use the -mask option to
		force or prevent mask recalculation.

      -remove acl_entry_list_without_permissions
		Removes existing ACL entries from the ACL.  The value of
		this option is a list of ACL entries with no permissions.
		The ACL entries must exist in the ACL or an error occurs.

      -purge	Purges all masked permissions (before any other
		modifications are made), in all ACL entries except user_obj,
		other_obj, mask_obj, user_obj_delegate, other_obj_delegate,
		and unauthenticated if they exist.  This option is useful
		only for ACLs that contain an entry of type mask_obj.

      -uuid	Indicates that the entries in the
		acl_entry_list_without_permissions argument are UUIDs rather
		than names.

      -mask {calc | nocalc}
		If a modify operation causes a mask recalculation that
		unintentionally adds permissions to an existing ACL entry,
		the modify operation ceases with an error unless you specify
		the -mask option with a value of either calc or nocalc, or a
		unique abbreviation of one of these values.

		Specifying calc creates or modifies the object's mask_obj
		type entry with permissions equal to the union of all
		entries other than type user_obj, other_obj, mask_obj, and
		unauthenticated.  This creation or modification is done
		after all other modifications to the ACL are performed.	 The
		new mask is set even if it grants permissions previously
		masked out.  It is recommended that you use this option only
		if not specifying it results in an error.  If you specify
		the calc option for an ACL Manager that does not support the
		mask_obj entry type, an error is returned.

		Specifying nocalc means that a new mask should not be
		calculated.

		The -mask option can be used only if the -add or -change
		option is also used and only if the object's ACL Managers
		support the mask_obj ACL type. In addition, you cannot use
		the -mask option if you specify a mask_obj ACL entry in the
		command (by using the -add or -change options).

      -ic	Specifies that the operation act on the Initial Container
		ACL of the named object.

      -io	Specifies that the operation act on the Initial Object ACL
		of the named object.




 Hewlett-Packard Company	   - 12 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      -entry	Specifies that the operation act on the ACL of the namespace
		entry of the named object.

      -local	Specifies that the operation act on the ACL of a dced object
		while the dced on the local machine is in partial service
		mode.

      -type manager_type_name
		Specifies that the command uses a particular ACL Manager.
		This option is needed only for objects that have more than
		one purpose, such as for principal names that also act as
		directories.


      The modify operation changes one or more individual ACL entries.	The
      argument is a list of names of ACLs to be modified.  They are
      processed in the order they are entered.	The specific operation to
      perform is described by using options.

      The -uuid option can be used to remove ACL entries associated with
      orphaned UUIDs.  An orphaned UUID refers to an object such as a
      principal or group that has been deleted from the registry, but still
      has an ACL entry on an object.

      Multiple actions can be specified on the command line; they are
      processed in a fixed order to guarantee proper processing of the ACLs.
      See [POSIX.6] for a description of this processing order. Either all
      the changes specified in the operation are made or none are. This
      operation returns an empty string on success.

      Privileges Required

      The permissions required are defined by the object's ACL Manager. Use
      the permissions operation to display the currently available tokens
      and their meanings.  See the documentation for the DCE component you
      are using to obtain a more detailed description of its specific
      permissions.

      Examples

      dcecp> acl modify /.:/hosts -add {user mahler rwcia}
      dcecp>

      dcecp> acl modify /.:/hosts -change {user mahler rwdtcia}
      dcecp>

      dcecp> acl modify /.:/hosts -add {group dce rwdtcia} -remove {user mahler}
      dcecp>

      dcecp> acl modify /.:/hosts -remove {user 0c8a15fc-761e-11d0-a176-08000985b5a6} -uuid
      dcecp>



 Hewlett-Packard Company	   - 13 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




    acl operations
      Returns a list of the operations supported by the acl object. The
      syntax is as follows:

      acl operations


      The list of available operations is in alphabetical order except for
      help and operations, which are listed last.

      Privileges Required

      No special privileges are needed to use the acl operations command.

      Examples

      dcecp> acl operations
      check delete modify permissions replace show help operations
      dcecp>


    acl permissions
      Returns a list describing the permissions associated with an object.
      The syntax is as follows:

      acl permissions acl_name_list [-ic | -io | -entry] [-type
      manager_type_name]
      [-local]


      Options

      -ic	Specifies that the command is to operate on the Initial
		Container ACL of the named object.

      -io	Specifies that the command is to operate on the Initial
		Object ACL of the named object.

      -entry	Specifies that the command is to operate on the ACL of the
		namespace entry of the named object.

      -type manager_type_name
		Specifies that the command uses a particular ACL Manager.
		This option is needed only for objects that have more than
		one purpose, such as for principal names that also act as
		directories.

      -local	Specifies that the command is to operate on the ACL of a
		dced object while the dced on the local machine is in
		partial service mode.




 Hewlett-Packard Company	   - 14 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      The permissions operation returns a list of the permissions associated
      with an object. For each permission, the operation shows the
      permission token and a description of the permission. The
      manager_type_name argument is a list of names of ACL Manager types
      whose permissions are to be returned.  If more than one name is
      entered, the output is concatenated and a blank line inserted between
      each manager type.

      Privileges Required

      The permissions required are defined by the object's ACL Manager. Use
      the permissions operation to display the currently available tokens
      and their meanings.  See the documentation for the DCE component you
      are using to obtain a more detailed description of its specific
      permissions.

      Examples

      dcecp> acl permissions /.:/hosts
      r {read entry attributes}}
      {w {update entry attributes}}
      {d {delete entry}}
      {t {test attribute values}}
      {c {change ACL}}
      {i {create new directory entries}}
      {a {administer directory replication}}
      dcecp>&gt&gt>


    acl replace
      Replaces the entire ACL on the object specified by the argument with
      the supplied value. The syntax is as follows:

      acl replace acl_name_list [-ic | -io | -entry] [-type
      manager_type_name]
      -acl acl_entry_list [-cell new_default_cellname]
      [-local]


      Options

      -ic	Specifies that the operation act on the Initial Container
		ACL of the named object.

      -io	Specifies that the operation act on the Initial Object ACL
		of the named object.

      -entry	Specifies that the operation act on the ACL of the namespace
		entry of the named object.





 Hewlett-Packard Company	   - 15 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      -type manager_type_name
		Specifies that the command use a particular ACL Manager.
		This option is needed only for objects that have more than
		one purpose, such as for principal names that also act as
		directories.

      -acl acl_entry_list
		Specifies ACL entries and their new values.

      -cell new_default_cellname
		Specifies a new default cell for all of the ACLs named in
		acl_entry_list. The -cell option is always applied before
		the other options.

      -local	Specifies that the operation act on the ACL of a dced object
		while the dced on the local machine is in partial service
		mode.


      The replace operation replaces the entire ACL on the object specified
      by the argument with the supplied value. The argument is a list of
      names of ACLs to be operated on.	The syntax of the value of the -acl
      option is a list of ACL entries.	The -cell option specifies the new
      default cell of the ACL.	Its value is the name of one cell only (it
      is not a list).  This operation returns an empty string on success.

      Privileges Required

      The permissions required are defined by the object's ACL Manager. Use
      the permissions operation to display the currently available tokens
      and their meanings.  See the documentation for the DCE component you
      are using to obtain a more detailed description of its specific
      permissions.

      Examples

      dcecp> acl replace /.:/hosts -acl {group dce rwdtcia}
      dcecp>


    acl show
      Returns a list of the ACL entries for the specified object. The syntax
      is as follows:

      acl show acl_name_list [-ic | -io | -entry] [-type manager_type_name]
      [-cell | -managers] [-local]

      Options






 Hewlett-Packard Company	   - 16 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      -ic	Specifies that the command is to operate on the Initial
		Container ACL of the named object.

      -io	Specifies that the command is to operate on the Initial
		Object ACL of the named object.

      -entry	Specifies that the command is to operate on the ACL of the
		namespace entry of the named object.

      -type manager_type_name
		Specifies that the command uses a particular ACL Manager.
		This option is needed only for objects that have more than
		one purpose, such as for principal names that also act as
		directories.

      -cell	Returns the default cell name for the ACL.

      -managers Returns a list of ACL Managers available for the named ACL.

      -local	Specifies that the command is to operate on the ACL of a
		dced object while the dced on the local machine is in
		partial service mode.


      The show operation returns a list of the ACL entries for the specified
      object.  The argument is a list of names of objects whose ACLs are to
      be operated on. If more than one name is given, the output is
      concatenated and a blank line inserted between objects.  If they
      exist, the mask_obj and unauthenticated ACL entries are displayed
      first.

      Note that since UUIDs and not names are stored in ACLs, dcecp may not
      be able to determine the name associated with an ACL entry. In this
      case, the UUID is returned as the key instead of the name.  dcecp may
      be unable to determine the name associated with an ACL entry if the
      default cell stored in the ACL is incorrect, or if the users and
      groups specified in the user and group entries are not registered in
      the default cell.

      If a UUID replaces a name of a user and group, you can recover by
      adopting the orphaned UUID. To do this, create a new user or group
      using the UUID found in the ACL.	The name of the new user or group is
      then available.

      Privileges Required

      The permissions required are defined by the object's ACL Manager. Use
      the permissions operation to display the currently available tokens
      and their meanings.  See the documentation for the DCE component you
      are using to obtain a more detailed description of its specific
      permissions.



 Hewlett-Packard Company	   - 17 -	      OSF DCE 1.1/HP DCE 1.8






 acl(1m)		  Open Software Foundation		     acl(1m)




      Examples

      dcecp> acl show /.:/hosts
      {unauthenticated r--t---}
      {user cell_admin rwdtcia}
      {user hosts/absolut/cds-server rwdtcia}
      {user hosts/absolut/self rwdtcia}
      {user root rwdtcia}
      {group subsys/dce/cds-admin rwdtcia}
      {group subsys/dce/cds-server rwdtcia}
      {any_other r--t---}
      dcecp>


 RELATED INFORMATION
      Commands: dcecp(1m), dcecp_account(1m), dcecp_group(1m),
      dcecp_organization(1m), dcecp_principal(1m), dcecp_registry(1m),
      dcecp_xattrschema(1m).




































 Hewlett-Packard Company	   - 18 -	      OSF DCE 1.1/HP DCE 1.8