A final step in designing ACLs and identifiers
is to consider how and when different identifiers are going to be
used. Users often need to hold an identifier for different reasons,
such as updating databases or performing system operations. For this
reason, you may want to qualify the use of an identifier.
There are several ways to qualify identifiers.
One way is to use environmental identifiers, and another is to add
special attributes to identifiers, as described in “Customizing Identifiers”.
Environmental identifiers describe different types
of users based on their initial entry into the system. These identifiers---local,
dialup, remote, interactive, network, and batch---let you define a
large potential group of users according to their use of the system.
Typically, these types of identifiers are used in combination with
For example, the following ACE permits user Martin
to have read, write, execute, and delete access to the object only
when logged in from a local terminal:
You can use the environmental identifiers in ACLs
to deny access to an entire class of logins. For example, the following
ACE denies access to all dialup users:
In assigning these environmental identifiers to
users in a DECwindows environment, remember that DECwindows processes
can be virtually any type of process. For example, a user may choose
to run DECwindows Mail in a batch job. Even though the process is
communicating interactively with a user through a DECwindows workstation,
it is still classified as a batch job.