Specifying Column Access Rights

The nistbladm command performs a variety of operations on NIS+ tables. Most of these tasks are described in "The nistbladm Command". However, two of its options, -c and -u, enable you to perform some security-related tasks:

• The -c option. The -c option allows you to specify initial column access rights when creating a table with the nistbladm command.

• The -u option. The -u option allows you to change column access rights with the nistbladm command.

Setting Column Rights When Creating a Table

When a table is created, its columns are assigned the same rights as the table object. These table level, rights are derived from the NIS_DEFAULTS environment variable, or are specified as part of the command that creates the table. You can also use the nistbladm -c option to specify initial column access rights when creating a table with nistbladm. To use this option you must have create rights to the directory in which you will be creating the table. To set column rights when creating a table use:

nistbladm -c type `columname=[flags] [,access]... tablename'

Where:

• type is a character string identifying the kind of table. A table's type can be anything you want it to be.

• columnname is the name of the column.

• flags is the type of column. Valid flags are:

  • S for searchable

  • I for case insensitive

  • C for encrypted

  • B for binary data

  • X for XDR encoded data

• access is the access rights for this column that you specify using the syntax described in "Specifying Access Rights in Commands".

• ... indicates that you can specify multiple columns each of the own type and with their own set of rights.

• tablename is the fully qualified name of the table you are creating.

To assign a column its own set of rights at table creation time, append access rights to each column's equal sign after the column type and a comma. Separate the columns with a space:

column=type, rights column=type, rights column=type, rights

The example below creates a table named depts in the doc.com directory, of type div, with three columns (Name, Site, and Manager), and adds modify rights for the group to the second and third columns:

rootmaster% nistbladm -c div Name=S Site=S,g+m Manager=S,g+m depts.doc.com.

For more information about the nistbladm and the-c option, see Chapter 14, Administering NIS+ Tables.

Adding Rights to an Existing Table Column

The nistbladm -u option allows you to add additional column access rights to an existing table column with the nistbladm command. To use this option you must have modify rights to the table column. To add additional column rights use:

nistbladm -u [column=access,...],tablename

Where:

• column is the name of the column.

• access is the access rights for this column that you specify using the syntax described in "Specifying Access Rights in Commands".

• ... indicates that you can specify rights for multiple columns.

• tablename is the fully qualified name of the table you are creating.

Use one column=access pair for each column whose rights you want to update. To update multiple columns, separate them with commas and enclose the entire set with square brackets:

[column=access, column=access, column=access]

The full syntax of this option is described in "The nistbladm Command".

The example below adds read and modify rights to the group for the name and addr columns in the hosts.org_dir.doc.com. table.

client% nistbladm -u `[name=g+rm,addr=g+rm],hosts.org_dir..doc.com.'

Removing Rights to a Table Column

To remove access rights to a column in an NIS+ table, you use the -u option as described above in "Adding Rights to an Existing Table Column" except that you subtract rights with a minus sign (rather than adding them with a plus sign).

The example below removes group's read and modify rights to the hostname column in the hosts.org_dir.doc.com. table.

client% nistbladm -u 'name=g-rm,hosts.org_dir.doc.com.'