Hewlett-Packard NetStorage 6000 Manual
Download Manual of HP NetStorage 6000 Storage for Free or View it Online on All-Guides.com.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Copyright © 2000 Hewlett-Packard Company Page 15 of 28
All Rights Reserved
that is used to keep a log of security events (such as who accesses which files) and to generate and log security
audit messages.
Each ACE contains a security ID and an access mask. The SID identifies the user or group to be associated with
the entry, and the access mask defines the type of access allowed or denied. The access mask varies for
different object types. In general, they include Standard types, Specific types, and Generic types. The Standard
types are defined as follows:
SYNCHRONIZE The right to use the object for synchronization. This enables a thread to wait until the
object is in the signaled state. Some object types do not support this access right.
WRITE_OWNER The right to change the owner in the object's security descriptor.
WRITE_DAC The right to modify the DACL in the object's security descriptor.
READ_CONTROL The right to read the information in the object's security descriptor, not including the
information in the SACL.
DELETE The right to delete the object.
Specific types include access options that apply specifically to an object type. Each object type can have up to
16 specific access types. For example, Windows NT files have the following specific access types:
q ReadData
q WriteData
q AppendData
q ReadEA (Extended Attribute)
q WriteEA (Extended Attribute)
q Execute
q ReadAttributes
q WriteAttributes
The granting of access rights to a particular user for a particular object is known as the security policy. Each
request to access an object contains a set of desired access rights. These desired access rights are checked
against the access control information defined in the object’s security descriptor to determine whether or not
access should be granted or denied. There are two algorithms used to validate access to an object:
1) The first algorithm determines the maximum access allowed to the object. A grant-access mask and a deny-
access mask is constructed based on the entries in the DACL.
2) The second algorithm is used to determine the specific access allowed, based on the user’s access token.
The main task of these algorithms is to examine each ACE in the DACL. If the SID in the ACE matches a SID in
the user’s access token, the ACE is processed further to determine the access allowed. If any requested access
type is specifically denied to the user in one of the entries, then access to the object is denied. If ALL of the
requested access types are specifically granted after examining the ACEs in the DACL, then the user is granted
access to the object. Otherwise, access is denied.
For example, if a user wants to access a file for reading and writing, then the ACEs in the DACL must contain
one or more entries that specifically allow both reading and writing to the user. In addition, there must not exist
any entry that specifically denies reading or writing to the user. Otherwise, the user will be denied access to the
file.