An unprivileged user can control his or her files using ACL and UIC mechanisms, but only the manager can create arbitrary groups of users. This is done with a mechanism called the rights identifier. The use of a rights list makes management easier. Suppose I put STUROSS and HICKEY into a group named DM_RIGHT. Then the ACL list on this file becomes a single entry. The rights list is controlled by the manager with AUTHORIZE. Using groups based on the rights list is a three-step process:
The manager creates the identifier.
The manager associates the identifier with a number of users forming a group.
The user (or the manager) creates an ACL for the identifier.
The following commands the manager would use to accomplish this task:
$ RUN AUTHORIZE UAF> ADD/IDENTIFIER DM_RIGHT UAF> sho /id dm_right Name Value Attributes DM_RIGHT %X8001001B UAF> GRANT/IDENT DM_RIGHT HICKEY UAF> GRANT/ID DM_RIGHT STUROSS UAF> sho /right/user=stuross Identifier Value Attributes DM_RIGHT %X8001001B UAF> EXIT
Now DMILLER can issue the following commands
$ SET SEC/ACL=(id=DM_RIGHT,access=read) login.com CSLab::DMILLER? sho sec login.com FACULTY:[DMILLER]LOGIN.COM;101 object of class FILE Owner: [DMILLER] Protection: (System: RWED, Owner: RWED, Group, World) Access Control List: (IDENTIFIER=DM_RIGHT,ACCESS=READ)
Notice that there is some confusion between the identifier (i.e., the name of the rights-identifier) and the assignment of this right to a user. UAF>SHOW /ID lists the identifier, while UAF>SHO /RIGHT lists the user information. As you can see in the example, identifiers may have attributes, such as hiding the identifier name from the user.