Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!pasteur!ucbvax!LBL.GOV!nagy%warner.hepnet
From: nagy%warner.hepnet@LBL.GOV (Frank J. Nagy, VAX Wizard & Guru)
Newsgroups: comp.os.vms
Subject: Re: A query regarding ACLs
Message-ID: <880511043742.2080769c@LBL.Gov>
Date: 11 May 88 11:37:42 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 38

> Can somebody tell me if it's possible to put an ACE on a file specifying
> the node in the identifier field. I.e. can I do the equivalent of:
>      
>  ACE = (IDENTIFIER=(MYNODE::[100,20]),options=protected,access=read)
     
I'm nearly 100% sure that this is NOT allowed.

> See what I'm trying to do? Basically, I want to be able to distinguish
> between a [100,20], say, on one machine, and another [100,20] on a
> different machine.
     
I don't see the need for this... when the user with UIC [100,20] on
MYNODE reaches into your system (where the ACL is being placed), an
agent process running FAL is executed for him.  This agent process
either:

	- runs under the default DECNET account which is probably
	  not UIC [100,20].

	- runs under a proxy account on your system assuming you
	  have proxies setup AND you've setup one for remote [100,20].
	  In this case, you know WHO Mr. Remote [100,20] is on your
	  system.

In either case, see the documentation about the NETWORK identifier.
This is automatically set for network (such as FAL access) jobs
whether run under the DECNET or a proxy account.

If the issue is one of access to removeable media which has been
transferred between the two systems...  this is a different problem
which is not solvable using UICs (in general).  For most systems,
this is a physical security problem.


= Frank J. Nagy   "VAX Guru & Wizard"
= Fermilab Research Division EED/Controls
= HEPNET: WARNER::NAGY (43198::NAGY) or FNAL::NAGY (43009::NAGY)
= BitNet: NAGY@FNAL
= USnail: Fermilab POB 500 MS/220 Batavia, IL 60510