Air Cleaner User Manual
The following example describes the permission records and how they are
interpreted. Note that this is a complex example. Ordinarily, records are defined for
all hosts, or for each specific host, but not both.
Assume the following client host/user records exist:
Host to
allow
Hosts to
deny
Users to
allow
Users to deny devices backup directories
network
installation image
directories
venus root all
/usr/lpp/sysback/bf
venus/root
venus all bobby cindy /dev/rmt1
all root all
/usr/lpp/sysback/
images/all
all mars pluto all
greg marsha
peter
/dev/rmt0
vdev0
/usr/lpp/sysback/bf/
all/all
When a client host attempts to gain access to a server, permission records are
checked on the server in the following order:
1. First, the permissions on the server are checked to ensure that the host
attempting to gain access has not been explicitly denied access. Hosts denied
access are shown only under the record assigned to “all” hosts. If, for example,
any user on host mars that attempts to perform a backup to this server will
receive a message that permission is denied.
2. Next, permission records are searched to ensure that the specific user has not
been denied access. Users can be denied access under any record that applies to
“all” users. If on any host user marsha attempts to gain access, she will be
denied access because the host record for “all” hosts explicitly denies access to
her. If user cindy on host venus attempts to gain access, she will be denied
because she is explicitly denied access from venus. User cindy can perform a
backup from any other hosts.
3. Assuming the host or user is not explicitly denied access, records are then
searched for one matching the specific host and user. In the above example, if
the root user on host venus attempts to gain access, this user will be allowed to
backup to all devices and the /usr/lpp/sysback/bf/venus/root directory on the
server.
4. If the above record does not exist, records are searched for one matching “all”
users on the specific host. In the above example, if user jan on host venus
attempts to gain access, she will obtain permission from the record assigned to
all users on venus. She will therefore have access to only device /dev/rmt1 and
no backup image directories.
5. Lastly, if none of the above succeed, records are searched for “all” users on
“all” hosts. If user alice on host neptune attempts to perform a backup to the
server, she will gain access under this record. She will therefore be allowed to
back up to devices /dev/rmt0 and vdev0 and to backup image directory
/usr/lpp/sysback/bf/all/all.
Also note that, by removing the record for host venus and user all, all users on
venus, except root, still have access to the devices and directories defined under the
record for all users on all hosts. Note also that, by removing this record, users bobby
and cindy also have access under all users on all hosts because they are no longer
explicitly denied.
Chapter 8. Remote Services 8-3