The format of the file is:
@smallexample
Kerberos_principal permissions [target_principal] [restrictions]
@end smallexample
The Kerberos principal (and optional target principal) can include the
``@b{*}'' wildcard, so if you want any principal with the instance
``admin'' to have full permissions on the database, you could use the
principal ``@code{*/admin@@REALM}'' where ``REALM'' is your Kerberos
realm. @code{target_principal} can also include backreferences to
@code{Kerberos_principal}, in which "@b{*@i{number}}" matches the
component @i{number} in the @code{Kerberos_principal}.
Note: a common use of an @i{admin} instance is so you can grant
separate permissions (such as administrator access to the Kerberos
database) to a separate Kerberos principal. For example, the user
@code{@value{ADMINUSER}} might have a principal for his administrative
use, called @code{@value{ADMINUSER}/admin}. This way,
@code{@value{ADMINUSER}} would obtain @code{@value{ADMINUSER}/admin}
tickets only when he actually needs to use those permissions.
The permissions are represented by single letters; UPPER-CASE letters
represent negative permissions. The permissions are:
@table @b
@itemx a
allows the addition of principals or policies in the database.
@itemx A
disallows the addition of principals or policies in the database.
@itemx d
allows the deletion of principals or policies in the database.
@itemx D
disallows the deletion of principals or policies in the database.
@itemx m
allows the modification of principals or policies in the database.
@itemx M
disallows the modification of principals or policies in the database.
@itemx c
allows the changing of passwords for principals in the database.
@itemx C
disallows the changing of passwords for principals in the database.
@itemx i
allows inquiries to the database.
@itemx I
disallows inquiries to the database.
@itemx l
allows the listing of principals or policies in the database.
@itemx L
disallows the listing of principals or policies in the database.
@itemx s
allows the explicit setting of the key for a principal
@itemx S
disallows the explicit setting of the key for a principal
@itemx *
All privileges (admcil).
@itemx x
All privileges (admcil); identical to ``*''.
@end table
The restrictions are a string of flags. Allowed restrictions are:
@table @b
@itemx [+ -]@i{flagname}
flag is forced to indicated value. The permissible flags are the same
as the @code{+} and @code{-} flags for the @code{kadmin addprinc} and
@code{modprinc} commands.
@itemx -clearpolicy
policy is forced to clear
@itemx -policy @i{pol}
policy is forced to be @i{pol}
@itemx expire @i{time}
@itemx pwexpire @i{time}
@itemx maxlife @i{time}
@itemx maxrenewlife @i{time}
associated value will be forced to MIN(@i{time}, requested value)
@end table
The above flags act as restrictions on any add or modify operation
which is allowed due to that ACL line.
Here is an example of a @code{kadm5.acl} file. Note that order is
important; permissions are determined by the first matching entry.
@smallexample
@group
*/admin@@@value{PRIMARYREALM} *
@value{ADMINUSER}@@@value{PRIMARYREALM} ADMCIL
@value{ADMINUSER}/*@@@value{PRIMARYREALM} il */root@@@value{PRIMARYREALM}
*@@@value{PRIMARYREALM} cil *1/admin@@@value{PRIMARYREALM}
*/*@@@value{PRIMARYREALM} i
*/admin@@@value{SECONDREALM} * -maxlife 9h -postdateable
@end group
@end smallexample
@noindent In the above file, any principal in the
@value{PRIMARYREALM} realm with an @code{admin} instance has all
administrative privileges. The user @code{@value{ADMINUSER}}
has all permissions with his @code{admin} instance,
@code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}} (matches the first
line). He has no permissions at all with his @code{null} instance,
@code{@value{ADMINUSER}@@@value{PRIMARYREALM}} (matches the second line).
His root instance has @i{inquire} and @i{list} permissions with any
other principal that has the instance @code{root}. Any principal
in @value{PRIMARYREALM} can inquire, list, or change the password of
their @code{admin} instance, but not any other @code{admin} instance.
Any principal in the realm @code{@value{PRIMARYREALM}} (except for
@code{@value{ADMINUSER}@@@value{PRIMARYREALM}}, as mentioned above) has
@i{inquire} privileges. Finally, any principal with an admin instance
in @value{SECONDREALM} has all permissions, but any principal that they
create or modify will not be able to get postdateable tickets or tickets
with a life of longer than 9 hours.