Database Reference
In-Depth Information
The mode in an ACE is explicit rather than implicit. This means
that an unset bit in the ACE mode (indicated by the
-
character) is
not considered as either
ALLOWED
or
DENIED
, so processing moves to
the next ACE in the ACL or finally falls through to the Unix-style
permissions. When an ACE is checked, for it to be applied, it must
match
both
the target and the requested access mode.
Finally, we need to create a group for all of the users at the printer that will need read
access to the system; let's call it
printers
. We then add all our printer users to that
group. Next, we add two more ACEs to the ACL on the
nanotechnology
collection.
The first will permit Bob Ling, who is in the
printers
group, his extra write access,
and the second will allow anyone in the
printers
group (including Bob Ling) read
access. The updated configuration for the
nanotechnology
collection now looks like:
Collection
/db/journals/review/nanotechnology
ACL
Target type
ID
Access type
Mode
ACE:0
USER
jasongreen DENIED
-w-
ACE:1
GROUP
trainees
ALLOWED
r-x
ACE:2
GROUP
trainees
DENIED
-w-
ACE:3
USER
bobling
ALLOWED
-w-
ACE:4
USER
printers
ALLOWED
r-x
Unix-style permissions
Owner
Group
Mode
admin
editors rwxrwx---
When Bob Ling tries to write to the
nanotechnology
collection, he will be allowed
access by the ACE at index
3
; when he tries to read the collection, he will be allowed
access by the ACE at index
4
because he is also a member of the
printers
group.
When another member of the printing staff (who is not Bob Ling) tries to read the
collection, she will be allowed access by the ACE at index
4
; if she tries to write the
collection, she will fall through to the Unix-style permission, which prohibits anyone
apart from the
admin
or a member of the
editors
group from writing to the collecā
tion. As this member satisfies neither of these requirements, she will be denied access.
Search WWH ::
Custom Search