Initial Registry ACLs

When the registry database is created, the principal, group, and org directories and the policy, replist, and xattrschema objects are given initial ACLs. As new objects are created in the registry, they inherit their ACLs from the principal, group, and org directory ACLs. The ACL entry key for those initial ACL entries that require a key is the name of the principal that creates the registry database (supplied to the sec_create_db command as the registry creator), or root if no name is supplied. (See Setting Up the Registry for more information on sec_create_db and the registry creator.)

The initial ACLs that are created when the registry database is created are described in the following list. In the list, rgy_creator signifies the principal that is named as the registry creator.

Note: Your platform's configuration tool may update these initial ACLs.

· For principal objects

unauthenticated:r--------

user_obj:r---f--ug

user:rgy_creator:rcDnFmaug

other_obj:r-------g

any_other:r--------

· For group objects

unauthenticated:r-t-----

user:rgy_creator:rctDnfmM

group_obj:r-t-----

other_obj:r-t-----

any_other:r-t-----

· For org objects

unauthenticated:r-t-----

user:rgy_creator:rctDnfmM

other_obj:r-t-----

any_other:r-t-----

· For the policy object

unauthenticated:r----

user:rgy_creator:rcma

other_obj:r----

any_other:r----

· For directory objects

unauthenticated:r-----

user:rgy_creator:rcidDn

other_obj:r-----

any_other:r-----

· For the replist object

user:cell_admin:cidmA-

· For the xattrschema object

unauthenticated:r-----

user:cell_admin:rcidm

other_obj:r-----

any_other:r-----