Previous Topic

Next Topic

File Permission Masks

Once a user has access to a given file, which might need both user and file passwords to reach, there is one additional level of access control available. This is the “file permission mask,” a set of controls over who can do what with a given file. The “what” and the “who” of file permission masks follow.

Operations controlled

User permissions with respect to the following file operations can be controlled with the file permission mask for a given file (i.e., “YES, TYPE X USERS have permission to do this operation” or “NO, TYPE X USERS do not have permission to do this operation”):

  • READ the file
  • WRITE to the file (i.e., add, update, or delete individual items in the file)
  • CHANGE THE DEFINITION(s) of the file, including such characteristics as alternative collating sequences or record schemas (see the c-treeACE Programmer’s Reference Guide for details)
  • DELETE the entire file
  • Any combination of the above

If a file has no permission mask, any user who can access the file can perform all the above operations.

User Controls

Each of these permissions for a given file can be specified for any or all of the following classes of users:

  • WORLD access: Allow the specified file operations to any user who can access the file (so users who lack a required User ID and/or file password do not have these file-operation permissions).
  • OWNER access: Allow the specified file operations to the current owner of the file. The owner is either the User ID in effect when the file was created or a different User ID who was later assigned as the owner.
  • GROUP access: Allow the specified file operations to any User ID currently a member of the same Group as the current File Group.

In summary, a file permission mask permits different degrees of access to a file for the file’s owner, users belonging to the file’s group, and all other users, including guests.

Using the concepts discussed above, the Administrator can establish a sophisticated and flexible security system with the c-treeACE Server. The mechanism for actually entering information for use by the c-treeACE Server is a separate program utility, called the Administrator’s Utility, ctadmn.