Previous Topic: Access Control List SupportNext Topic: Windows Access Authority by Class


Access Authority by Class

Valid access values depend on the class the resource belongs to. The following table lists valid access values by class in the AC environment.

Class

Valid Access Values

Lets Accessors...

All classes

all

Perform all valid operations for the class.

 

none

Perform no valid operations for the class.

ADMIN

create

Create records in this class.

 

delete

Delete records in this class.

 

join

Add a group to a USER record and to complete the linking of a user to a group.

Note: The accessor must also have modify access.

 

modify

Modify existing records.

Note: To link a user to a group (add user names to GROUP records) the accessor must also have join access.

 

password

Change the passwords of other users.

Note: This access type affects only the USER class.

 

read

List records in this classes

AUTHHOST

read

Login from an authenticated host.

CONNECT

read

Connect to the remote host.

CONTAINER

inherited

Note: Valid access values for this class are the valid values for the class of the contained objects.

DOMAIN

chmod

Create and delete trust relationships between one domain and another.

Note: Both domains must have this access type.

 

execute

Add or delete members from the domain.

 

read

List domain members.

FILE, GFILE

chdir

Access the directory with the equivalent of read and execute permissions.

 

chmod

Change file system modes.

Note: Only applicable on UNIX hosts.

 

chown

Change the owner of the record.

 

control

Perform all valid operations except delete and rename.

 

create

Create records in this class.

 

delete

Delete records in this class.

 

execute

Execute a program.

Note: The accessor must also have read access.

 

read

Use a file or directory without changing it.

Note: On UNIX, if you want read privileges to control whether users can perform operations that obtain information about the file (such as ls -l), set the STAT_intercept configuration setting to 1. For more information, see the Reference Guide.

 

rename

Rename to a record in this class.

 

sec

Change the ACL of records in this class.

 

update

Perform the combined operations of read, write, and execute.

 

utime

Change the modification time of a file.

Note: Only applicable on UNIX hosts.

 

write

Change the file or directory.

HNODE

read

List records in the class.

 

write

Edit the details of the record.

HOLIDAY

read

Log in during the specified holiday.

KMODULE

load

Load a kernel module.

 

unload

Unload a kernel module.

MFTERMINAL

read

Log in from the Mainframe terminal.

 

write

Administer from the Mainframe terminal.

POLICY

delete

Delete the policy.

 

execute

Deploy the policy.

 

read

View policy details.

 

write

Edit the details of the record.

 

undeploy

Perform the combined operations of delete and execute.

PROCESS

read

Kill the process.

PROGRAM, SUDO, GSUDO

execute

Execute a program.

REGKEY

delete

Delete a Windows registry key.

 

read

List the contents of the Windows registry key.

 

write

Change the Windows registry key.

REGVAL

delete

Delete a Windows registry value.

 

read

Read a Windows registry value.

 

write

Change a Windows registry value.

RULESET

read

View the details of the record.

 

write

Edit the details of the record.

SURROGATE

execute

Surrogate to the user.

TCP

read

Access TCP services from remote hosts or host groups.

TERMINAL, GTERMINAL

read

Log in to the terminal.

 

write

Administer the terminal.

UACC

inherited

Note: Valid access values for this class are the valid values for the class it is defining.

WINSERVICE

read

View the properties of the Windows service.

 

start

Start the Windows service.

 

modify

Change the properties of the Windows service.

 

resume

Resume a paused Windows service.

 

stop

Stop a Windows service.

 

pause

Pause a Windows service.

Note: The values none and all are applicable to all classes. The value all represents the entire group of access values, other than none, for a particular class. For more information about access authority, see the Endpoint Administration Guide for your OS.