NIS+ tables allow you to specify access rights on the table three ways:
You can specify access rights to the table as a whole
You can specify access rights to each entry (row) by itself.
You can specify access rights to each table column individually,
A field is the intersection between a column and an entry (row). All data values are entered in fields.
These column- and entry level access rights allow you to specify additional access to individual rows and columns that override table level restrictions, but column and entry level rights cannot be more restrictive than the table as a whole:
Table. The table level is the base level. Access rights assigned at the table level apply to every piece of data in the table unless specifically modified by a column or entry exception. Thus, the table level rights should be the most restrictive.
Remember that authorization classes concatenate. A higher class gets the rights assigned to lower classes. See "Concatenation of Access Rights"
Column. Column-level rights allow you to grant additional access rights on a column-by-column basis. For example, suppose the table level granted no access rights whatsoever to the world and nobody classes. In such a case, no one in those two classes could read, modify, create, or destroy any data in the table. You could use column-level rights to override that table level restriction and permit members of the world class the right to view data in a particular column.
On the other hand, if the table level grants table-wide read rights to the owner and group classes, you cannot use column-level rights to prevent the group class from having read rights to that column.
Entry (row). entry level rights allow you to grant additional access rights on a row-by-row basis. For example, this allows you to permit individual users to change entries that apply to them, but not entries that apply to anyone else.
Keep in mind that an entry's group does not have to be the same as the table's group. Tables and entries can have different groups. This means that you can permit members of a particular group to work with one set of entries while preventing them from affecting entries belonging to other groups.
Column- or entry level access rights can provide additional access in two ways: by extending the rights to additional principals or by providing additional rights to the same principals. Of course, both ways can be combined. Following are some examples.
Assume a table object granted read rights to the table's owner:
Table 10-1 Table, Column, Entry Example 1
|
Nobody |
Owner |
Group |
World |
---|---|---|---|---|
Table Access Rights: |
---- |
r--- |
---- |
---- |
This means that the table's owner could read the contents of the entire table but no one else could read anything. You could then specify that Entry-2 of the table grant read rights to the group class:
Table 10-2 Table, Column, Entry Example 2
|
Nobody |
Owner |
Group |
World |
---|---|---|---|---|
Table Access Rights: |
---- |
r--- |
---- |
---- |
Entry-2 Access Rights: |
---- |
---- |
r--- |
---- |
Although only the owner could read all the contents of the table, any member of the table's group could read the contents of that particular entry. Now, assume that a particular column granted read rights to the world class:
Table 10-3 Table, Column, Entry Example 3
|
Nobody |
Owner |
Group |
World |
---|---|---|---|---|
Table Access Rights: |
---- |
r--- |
---- |
---- |
Entry-2 Access Rights: |
---- |
---- |
r--- |
---- |
Column-1 Access Rights: |
---- |
---- |
---- |
r--- |
Members of the world class could now read that column for all entries in the table (light shading in Table 10-4). Members of the group class could read everything in Column-1 (because members of the group class are also members of the world class) and also all columns of Entry-2 (dark shading in Table 10-4). Neither the world nor the group classes could read any cells marked *NP* (for Nor Permitted).
Table 10-4 Table, Column, Entry Example 4
|
Col 1 |
Col 2 |
Col 2 |
---|---|---|---|
Entry-1 |
contents |
*NP* |
*NP* |
Entry-2 |
contents |
contents |
contents |
Entry-3 |
contents |
*NP* |
*NP* |
Entry-4 |
contents |
*NP* |
*NP* |
Entry-5 |
contents |
*NP* |
*NP* |
This section describes how the four different access rights (read, create, modify, and destroy) work at the four different access levels (directory, table, column, and entry).
The objects that these various rights and levels act on are summarized in Table 10-5:
Table 10-5 Access Rights and Levels and the Objects They Act Upon
|
Directory |
Table |
Column |
Entry |
---|---|---|---|---|
Read |
List directory contents |
View table contents |
View column contents |
View entry (row) contents |
Create |
Create new directory or table objects |
Add new entries (rows) |
Enter new data values in a column |
Enter new data values in an entry (row) |
Modify |
Move objects and change object names |
Change data values anywhere in table |
Change data values in a column |
Change data values in an entry (row) |
Destroy |
Delete directory objects such as tables |
Delete entries (rows) |
Delete data values in a column |
Delete data values in an entry (row) |
Directory. If you have read rights to a directory, you can list the contents of the directory.
Table. If you have read rights to a table, you can view all the data in that table.
Column. If you have read rights to a column, you can view all the data in that column.
Entry. If you have read rights to an entry, you can view all the data in that entry.
Directory. If you have create rights at the directory level, you can create new objects in the directory such as new tables.
Table. If you have create rights at the table level, you can create new entries. (You cannot add new columns to an existing table regardless of what rights you have.)
Column. If you have create rights to a column, you can enter new data values in the fields of that column. You cannot create new columns.
Entry. If you have create rights to an entry, you can enter new data values in the fields of that row. (Entry level create rights do not permit you to create new rows.)
Directory. If you have modify rights at the directory level, you can move or rename directory objects.
Table. If you have modify rights at the table level, you can change any data values in the table. You can create (add) new rows, but you cannot create new columns. If an existing field is blank, you can enter new data in it.
Column. If you have modify rights to a column, you can change the data values in the fields of that column.
Entry. If you have modify rights to an entry, you can change the data values in the fields of that row.
Directory. If you have destroy rights at the directory level, you can destroy existing objects in the directory such as tables.
Table. If you have destroy rights at the table level, you can destroy existing entries (rows) in the table but not columns. You cannot destroy existing columns in a table: you can only destroy entries.
Column. If you have destroy rights to a column, you can destroy existing data values in the fields of that column.
Entry. If you have destroy rights to an entry, you can destroy existing data values in the fields of that row.