Previous Topic: defaccess—The Default Access FieldNext Topic: Interaction Between User and Group Access Authorities

Endpoint Administration Guide for UNIXManaging AuthorizationHow Access Authority to a Resource Is Determined

How Access Authority to a Resource Is Determined

When an accessor attempts to access a resource, CA ControlMinder checks the access authority by running through one or more checks in a pre-determined order, until it gets a result. If any check produces an access result (deny or allow access), CA ControlMinder does not check any further, but instead returns the result.

The order in which it runs through these checks is important. For each resource, CA ControlMinder checks the access records in the following order by default:

  1. The resource's time based restrictions
  2. The resource's ownership (owners are allowed access)
  3. B1 checks
  4. The resource's NACL
  5. The resource's ACL
  6. The resource's PACL
  7. The resource's defaccess field

The order of the last two checks is determined by the setting of the accpacl option. You can disable the use of resource PACL by using the selang command setoptions setpacl-.

One access control list can contain more than one entry that affects a user. For example, it can contain an entry that mentions a user explicitly, and also entries for each of the groups to which the user belongs. CA ControlMinder checks all the possible entries at each level before it goes to the next level. For more information about how it resolves conflicting rules at each level, see Interaction Between User and Group Access Authorities.

Example: The Resultant Permission on a File

For the following table, assume that an accessor named user1 attempts to read the resource file1.

In the following table CA ControlMinder is following the default setting of the accpacl option to use the PACL.

Entry in NACL for user1

Entry in ACL for user1

Entry in PACL for user1

Entry in defaccess

Resulting Permission

Read

(Any)

(Any)

(Any)

Read denied

(Not defined)

None

(Any)

(Any)

Read denied

(Not defined)

Read

(Any)

(Any)

Read granted

(Not defined)

(Not defined)

via pgm securereader

(Any)

Read allowed through the securereader program

(Not defined)

(Not defined)

(Not defined)

Read

Read granted

Where an entry is shown as (Not defined), this means that no entry for user1 exists in that access control list.

Where an entry is shown as (Any), this means that the entry in that access control list does not matter, because CA ControlMinder does not check it.

The order that CA ControlMinder checks is from left to right. Notice that for all rows, the cells to the right of a cell with a defined access have the value (any). Conversely all the cells to the left of a cell that contains a defined access have the value (not defined).