User Commands						nisopaccess(1)

NAME
	nisopaccess - NIS+ operation access control administration command

SYNOPSIS
	nisopaccess [ -v ] directory operation rights

	nisopaccess [ -v ] [ -r ] directory operation

	nisopaccess [ -v ] [ -l ] directory [ operation ]

DESCRIPTION
	Most NIS+ operations have implied access control through the
	permissions on the objects that they manipulate. For example,
	in order to read an entry in a table, you must have read permission
	on that entry. However, some NIS+ operations by default perform no
	access checking at all, and so are allowed for anyone.

	Operation		Command using operation (example)

	NIS_CHECKPOINT		nisping -C
	NIS_CPTIME		nisping, rpc.nisd
	* NIS_MKDIR		nismkdir
	NIS_PING		nisping, rpc.nisd
	* NIS_RMDIR		nisrmdir
	* NIS_SERVSTATE		nisbackup, nisrestore
	* NIS_STATUS		nisstat, rpc.nispasswdd

	The nisopaccess command can be used to enforce access control on
	these operations on a per-NIS+-directory basis. The operations
	preceded by an asterisk in the list above do not have access
	control implemented in SunOS 5.5.1 through 5.7.

	The 'directory' argument should be the fully qualified name (including
	the trailing dot) of the NIS+ directory to which nisopaccess will
	applied. As a short-hand, if the directory name doesn't end in a
	trailing dot ("org_dir", for example), the domainname is appended.
	Partial paths such as "org_dir.xyz" also get the domainname added
	at the end.

	The 'operation' argument is one of the operations listed above. You
	can use upper or lower case (but not mix the two), and the 'NIS_'
	part may be omitted. For example, NIS_PING can be specified as
	'NIS_PING', 'nis_ping', 'PING', or 'ping'.

	The 'rights' argument is specified in the format defined by the
	nischmod(1) command. Only the read ("r") rights are used to
	determine who has the right to perform the operation, so the
	modify and delete rights may be used to control who can change
	the access to the operation.

	The access checking performed for each operation is as
	follows. When an operation requires checking access on all
	directories served by this rpc.nisd, access is denied if at
	least one of the directories prohibits the operation.

	NIS_CHECKPOINT

		Check specified directory, or all directories if
		there is no directory argument ("nisping -Ca").
		Return NIS_PERMISSION when access is denied.

	NIS_CPTIME

		Check specified directory. Return 0 when access
		is denied.

	NIS_PING

		Check specified directory. No return value.

	Note that older clients may not supply authentication
	information for some of the operations listed above.
	Such client are treated as "nobody" when access checking
	is performed.

OPTIONS
	The following options are supported:

	-v	Verbose mode.

	-r	Remove access control for a certain operation on the
		specified directory.

	-l	List the access control for a single operation, or for
		all operations that have access control enabled.

EXAMPLES
	Example 1: Enable access control for the NIS_PING operation on
	"org_dir.`domainname`." such that only the owner of the directory
	can perform a NIS_PING, or change the NIS_PING rights:

	example% nisopaccess org_dir NIS_PING o=rmcd,g=,w=,n=

	Example 2: List the access to the NIS_PING operation for org_dir:

	example% nisopaccess -l org_dir NIS_PING
	NIS_PING	----rmcd--------	owner.dom.ain.	group.dom.ain.

	Example 3: Remove access control for NIS_PING on org_dir:

	example% nisopaccess -r org_dir NIS_PING

EXIT STATUS
	0	Successful operation.
	other	Operation failed. The status is usually the return status
		from a NIS+ command such as nistbladm.

SEE ALSO
	nis+(1), nistbladm(1), nischmod(1)

NOTES
	The access control is implemented by creating a NIS+ table
	called 'proto_op_access' in each NIS+ directory to which
	access control should be applied. The table can be manipulated
	using normal NIS+ commands. However, nisopaccess is the only
	supported interface for NIS+ operation access control.


SunOS 5.5.1-5.7		Last change: 10 March 1999
