Software Distributor Administrator Guide (September 2010)

# swacl -l product_template -F tmp_file \
@ /var/spool/sw_dev
To delete entries for user barb and group swadm, use:
# swacl -D user:barb -D group:swadm -l product FORTRAN
To give user ramon permission to modify the product FORTRAN, type:
# swacl -M user:ramon:trw -l product FORTRAN
To add an entry for user pam with complete management permission
(“a” is shorthand for crwit), use:
# swacl -M user:pam:a
To add an entry to grant every user in group swadm at remote hosts dewd and stewd
full management control of the product FORTRAN on the default local depot, use the
following:
# swacl -M group:swadm@dewd:a -M group:swadm@stewd:a \
-l product FORTRAN
To list the ACL protecting the default depot at host dewd, type:
# swacl -l depot @ dewd
9.4 How ACLs are Matched to the User
ACL permissions are determined by a match to a single ACL entry, not to an
accumulation of matching entries. Checking is done from the most restrictive entry
types to the broadest.
If a match is found in a user entry type, no further checking is done, and the permissions
for that user are fully defined by the permissions field of the matched entry. A matched
user may be a member of a group with broader permissions; this has no consequence.
NOTE: The local superuser has access to all local SD-UX objects irrespective of ACLs.
The ACL matching algorithm is:
1. If user is local superuser, then grant all permissions.
2. If user is owner of the object, then grant object_owner permissions.
3. If user matches a user entry, then grant user permissions.
4. If any group entries match, then accumulate the permissions granted by all group
entries that match the users primary and supplementary groups.
5. If an appropriate other entry matches, then grant other permissions.
6. If an any_other entry, then grant any_other permissions.
7. Grant no permissions.
9.4 How ACLs are Matched to the User 199