PreviousNext

Controlling Access to CDS Clerk and Server Management Operations

CDS authorization allows you to control the use of CDS commands that involve local management operations on CDS clerks and servers. Principal names for each clerk and server are stored in the security namespace. An object entry that contains the binding information for each clerk and server is stored in the CDS namespace in the /.:/hosts subdirectory. Servers are represented as /.:/hosts/hostname/cds-server. Clerks are represented as /.:/hosts/hostname/cds-clerk. Each clerk and server maintains a separate access control list that contains ACL entries specifying the principals allowed to perform these operations. Unlike the ACLs that are associated with names in the namespace, the ACLs that are associated with clerks and servers exist exclusively to provide local control of the use of these commands.

Whenever a new clerk or server is initialized, an access control list is created on the clerk or server system. An initial ACL entry is also created, granting the machine principal and the namespace authorization group (subsys/dce/cds-admin) read, write, and control permissions to the clerk or server process on that system. All other principals, both authenticated and unauthenticated, are granted read permission. The creation of this ACL entry ensures that, immediately after its creation, any user logged into the system as the machine principal is permitted to execute privileged clerk or server CDS commands.

Note: Use of the machine principal for this purpose is provided as a convenience and assumes that the account itself (username and password) is already moderately secure. Namespace administrators may prefer to modify this scheme and grant permission to particular clerks and servers on behalf of other individual principals or authorization groups.

To edit an ACL that is associated with a CDS clerk or server, you use the dcecp program's acl modify command with the -change option. For example, to change the permissions for the user michaels in the ACL that is associated with the CDS clerk on node orion, enter the following command:

dcecp> acl modify /.:/hosts/orion/cds-clerk -change {user michaels rw}

Keep in mind that clerks and servers are also represented by entries in the namespace. To edit an ACL that is associated with the namespace entry for a CDS clerk or server, you must include the -entry option, as well as the -change option, in the acl modify command line. For a detailed instructions on how to modify an ACL on the CDS entry for a DCE resource, see Editing ACLs on CDS Names.