TARGETS:
The main goal of the ACL subsystem is providing a powerfull, flexible and
extendable access control mechanism for different objects in the DHCPd
configuration. These objects are shared networks, subnets, groups of hosts
and hosts.
Also the ACL subsystem allows you to control some other features, such as:
unique object names, applying of changed configuration, viewing and deletion
of DHCP leases.
CONCEPTS:
We can show the DHCPd configuration file as a tree structure. Each node of
this tree represents configuration of a different DHCP object (fig. 0).
The ACL subsystem supports two permission levels:
- global: read, write, create;
- per-object: read, write.
Global permissions exist for each type of object (hosts, groups, subnets,
shared networks) and control operations with a whole object set of given
type:
- Global create
- Global read
- Global write
Per-object permissions give you a more flexible way of access control.
Per-object permissions ACL exist for every individual object. Today
per-object ACLs are impemented only for hosts and subnets:
- Per-object read
- Per-object write
The ACL subsystem can operate in four different security levels (or modes).
