Table, Column, Entry Example
Column- or entry level access rights can provide additional access in two ways: by extending the rights to additional principals or by providing additional rights to the same principals. Of course, both ways can be combined. Following are some examples.
Assume a table object granted read rights to the table's owner:
Table 15-1 Table, Column, Entry Example 1
| Nobody | Owner | Group | World |
|---|---|---|---|---|
Table Access Rights: | ---- | r--- | ---- | ---- |
This means that the table's owner could read the contents of the entire table but no one else could read anything. You could then specify that Entry-2 of the table grant read rights to the group class:
Table 15-2 Table, Column, Entry Example 2
| Nobody | Owner | Group | World |
|---|---|---|---|---|
Table Access Rights: | ---- | r--- | ---- | ---- |
Entry-2 Access Rights: | ---- | ---- | r--- | ---- |
Although only the owner could read all the contents of the table, any member of the table's group could read the contents of that particular entry. Now, assume that a particular column granted read rights to the world class:
Table 15-3 Table, Column, Entry Example 3
| Nobody | Owner | Group | World |
|---|---|---|---|---|
Table Access Rights: | ---- | r--- | ---- | ---- |
Entry-2 Access Rights: | ---- | ---- | r--- | ---- |
Column-1 Access Rights: | ---- | ---- | ---- | r--- |
Members of the world class could now read that column for all entries in the table (light shading in Table 15-4). Members of the group class could read everything in Column-1 (because members of the group class are also members of the world class) and also all columns of Entry-2 (dark shading in Table 15-4). Neither the world nor the group classes could read any cells marked *NP* (for Nor Permitted).
Table 15-4 Table, Column, Entry Example 4
| Col 1 | Col 2 | Col 2 |
|---|---|---|---|
Entry-1 | contents | *NP* | *NP* |
Entry-2 | contents | contents | contents |
Entry-3 | contents | *NP* | *NP* |
Entry-4 | contents | *NP* | *NP* |
Entry-5 | contents | *NP* | *NP* |
Rights at Different Levels
This section describes how the four different access rights (read, create, modify, and destroy) work at the four different access levels (directory, table, column, and entry).
The objects that these various rights and levels act on are summarized in Table 15-5:
Table 15-5 Access Rights and Levels and the Objects They Act Upon
| Directory | Table | Column | Entry |
|---|---|---|---|---|
Read | List directory contents | View table contents | View column contents | View entry (row) contents |
Create | Create new directory or table objects | Add new entries (rows) | Enter new data values in a column | Enter new data values in an entry (row) |
Modify | Move objects and change object names | Change data values anywhere in table | Change data values in a column | Change data values in an entry (row) |
Destroy | Delete directory objects such as tables | Delete entries (rows) | Delete data values in a column | Delete data values in an entry (row) |
Read Rights
Directory. If you have read rights to a directory, you can list the contents of the directory.
Table. If you have read rights to a table, you can view all the data in that table.
Column. If you have read rights to a column, you can view all the data in that column.
Entry. If you have read rights to an entry, you can view all the data in that entry.
Create Rights
Directory. If you have create rights at the directory level, you can create new objects in the directory such as new tables.
Table. If you have create rights at the table level, you can create new entries. (You cannot add new columns to an existing table regardless of what rights you have.)
Column. If you have create rights to a column, you can enter new data values in the fields of that column. You cannot create new columns.
Entry. If you have create rights to an entry, you can enter new data values in the fields of that row. (Entry level create rights do not permit you to create new rows.)
Modify Rights
Directory. If you have modify rights at the directory level, you can move or rename directory objects.
Table. If you have modify rights at the table level, you can change any data values in the table. You can create (add) new rows, but you cannot create new columns. If an existing field is blank, you can enter new data in it.
Column. If you have modify rights to a column, you can change the data values in the fields of that column.
Entry. If you have modify rights to an entry, you can change the data values in the fields of that row.
Destroy Rights
Directory. If you have destroy rights at the directory level, you can destroy existing objects in the directory such as tables.
Table. If you have destroy rights at the table level, you can destroy existing entries (rows) in the table but not columns. You cannot destroy existing columns in a table: you can only destroy entries.
Column. If you have destroy rights to a column, you can destroy existing data values in the fields of that column.
Entry. If you have destroy rights to an entry, you can destroy existing data values in the fields of that row.
Where Access Rights Are Stored
An object's access rights are specified and stored as part of the object's definition. This information is not stored in an NIS+ table.
Viewing an NIS+ Object's Access Rights
The access rights can be viewed by using the niscat command:
niscat -o objectname |
Where objectname is the name of the object whose access rights you want to view.
This command returns the following information about an NIS+ object:
Owner. The single NIS+ principal who has ownership rights. This is usually the person who created the object, but it could be someone to whom the original owner transferred ownership rights.
Group. The object's NIS+ group.
Nobody class access rights. The access rights granted to everyone, whether they are authenticated (have a valid DES credential) or not.
Owner class access rights. The access rights granted to the object's owner.
Group class access rights. The access rights granted to the principals in the object's group.
World class access rights. The access rights granted to all authenticated NIS+ principals.