[comp.os.vms] A query regarding ACLs

nagy%warner.hepnet@LBL.GOV (Frank J. Nagy, VAX Wizard & Guru) (05/11/88)

> Can somebody tell me if it's possible to put an ACE on a file specifying
> the node in the identifier field. I.e. can I do the equivalent of:
>      
>  ACE = (IDENTIFIER=(MYNODE::[100,20]),options=protected,access=read)
     
I'm nearly 100% sure that this is NOT allowed.

> See what I'm trying to do? Basically, I want to be able to distinguish
> between a [100,20], say, on one machine, and another [100,20] on a
> different machine.
     
I don't see the need for this... when the user with UIC [100,20] on
MYNODE reaches into your system (where the ACL is being placed), an
agent process running FAL is executed for him.  This agent process
either:

	- runs under the default DECNET account which is probably
	  not UIC [100,20].

	- runs under a proxy account on your system assuming you
	  have proxies setup AND you've setup one for remote [100,20].
	  In this case, you know WHO Mr. Remote [100,20] is on your
	  system.

In either case, see the documentation about the NETWORK identifier.
This is automatically set for network (such as FAL access) jobs
whether run under the DECNET or a proxy account.

If the issue is one of access to removeable media which has been
transferred between the two systems...  this is a different problem
which is not solvable using UICs (in general).  For most systems,
this is a physical security problem.


= Frank J. Nagy   "VAX Guru & Wizard"
= Fermilab Research Division EED/Controls
= HEPNET: WARNER::NAGY (43198::NAGY) or FNAL::NAGY (43009::NAGY)
= BitNet: NAGY@FNAL
= USnail: Fermilab POB 500 MS/220 Batavia, IL 60510

ESC1332@ESOC.BITNET ("K.Keyte") (05/15/88)

Can somebody tell me if it's possible to put an ACE on a file specifying
the node in the identifier field. I.e. can I do the equivalent of:

 ACE = (IDENTIFIER=(MYNODE::[100,20]),options=protected,access=read)

See what I'm trying to do? Basically, I want to be able to distinguish
between a [100,20], say, on one machine, and another [100,20] on a
different machine.

Anyone know?

Karl

     +------------------------------------+
     +  My Opinions are totally unique    +
     +------------------------------------+...and never considered!
' K.Keyte             Info VAX list        5/05/88 Network ACLs