A final step in designing ACLs and identifiers is to consider
how and when different identifiers are going to be used. Users often
need to hold an identifier for different reasons, such as updating
databases or performing system operations. For this reason, you
may want to qualify the use of an identifier.
There are several ways to qualify identifiers. One way is
to use environmental identifiers, and another is to add special
attributes to identifiers, as described in “Customizing Identifiers”.
Environmental identifiers describe different types of users
based on their initial entry into the system. These identifiers---local,
dialup, remote, interactive, network, and batch---let you define
a large potential group of users according to their use of the system.
Typically, these types of identifiers are used in combination with other
identifiers.
For example, the following ACE permits user Martin to have
read, write, execute, and delete access to the object only when
logged in from a local terminal:
(IDENTIFIER=MARTIN+LOCAL,ACCESS=READ+WRITE+EXECUTE+DELETE) |
You can use the environmental identifiers in ACLs to deny
access to an entire class of logins. For example, the following
ACE denies access to all dialup users:
(IDENTIFIER=DIALUP,ACCESS=NONE) |
In assigning these environmental identifiers to users in a
DECwindows environment, remember that DECwindows processes can be
virtually any type of process. For example, a user may choose to
run DECwindows Mail in a batch job. Even though the process is communicating
interactively with a user through a DECwindows workstation, it is
still classified as a batch job.
