ESC1332@ESOC.BITNET ("K.Keyte") (07/05/88)
Can somebody tell me if it's possible to put an ACE on a file specifying
the node in the identifier field. I.e. can I do the equivalent of:
ACE = (IDENTIFIER=(MYNODE::[100,20]),options=protected,access=read)
See what I'm trying to do? Basically, I want to be able to distinguish
between a [100,20], say, on one machine, and another [100,20] on a
different machine.
Anyone know?
Karl
+------------------------------------+
+ My Opinions are totally unique +
+------------------------------------+...and never considered!
-------carl@CITHEX.CALTECH.EDU (Carl J Lydick) (07/05/88)
> Can somebody tell me if it's possible to put an ACE on a file specifying > the node in the identifier field. I.e. can I do the equivalent of: > > ACE = (IDENTIFIER=(MYNODE::[100,20]),options=protected,access=read) > > See what I'm trying to do? Basically, I want to be able to distinguish > between a [100,20], say, on one machine, and another [100,20] on a > different machine. > > Anyone know? Yes. It can't be done, at least not as simply as you want to do it. If this is being done on a cluster, you can try something like giving everyone who logs in on a given machine an identifier that says he's on that machine, then incorporate that identifier into your acl, but that would mean that that ace would affect ALL users on said machine. Or you could (ugh) set up unique rightslist identifiers for everybody on each machine: $ SET DEF SYS$SYSTEM $ RUN AUTHORIZE UAF> ADD/ID user1_on_machine_1 UAF> ADD/ID user1_on_machine_2 UAF> ADD/ID user2_on_machine_1 UAF> ADD/ID user2_on_machine_2 UAF> GRANT/ID user1 user1_on_machine_1 UAF> GRANT/ID user1 user1_on_machine_2 UAF> GRANT/ID user2 user2_on_machine_1 UAF> GRANT/ID user2 user2_on_machine_2 UAF> EXIT Then use these identifiers in your ACL. If you're talking about DECnet access, you could 1) Create your own database to allow the object to map remote node/uic pairs into the local rightslist database; and 2) Create your own DECnet object for remote file access, have it get information about the remote node and the remote process, figure out what rightslist identifier it should be using, grant itself that ID, then try to access the file. I don't think either of these is really what you had in mind, but they're the closest ideas I could come up with. Please let me know if you come up with something better. By the way, the BITnet lag time seems to be down to a month or so now.
LEICHTER@VENUS.YCC.YALE.EDU ("Jerry Leichter ", LEICHTER-JERRY@CS.YALE.EDU) (07/05/88)
Can somebody tell me if it's possible to put an ACE on a file specifying the node in the identifier field. I.e. can I do the equivalent of: ACE = (IDENTIFIER=(MYNODE::[100,20]),options=protected,access=read) See what I'm trying to do? Basically, I want to be able to distinguish between a [100,20], say, on one machine, and another [100,20] on a different machine. Can't be done. Identifiers are meaningful only within a single security domain, which at present is a single cluster. -- Jerry
thompson@batcomputer.tn.cornell.edu (Steve Thompson) (07/07/88)
Don't forget that a process running on node XXX is a holder of the system-wide identifier SYS$NODE_XXX. You can use this in your ACL's (we do).