Appropriate privilege means that the user has sufficient capabilities to perform an operation even if the user is not explicitly granted the necessary access. The user's capabilities grant the correct access to the directory or file.
Appropriate privilege does not override file lockwords, privileged files, privileged file codes, or write-protected files.
System manager capability |
 |
Having SM capability provides appropriate privilege and
allows the system manager (or those having SM) to override
the file access matrix or ACD on any file or directory.
Users with SM capability can create files and directories
anywhere on the system. Users with SM capability can also
rename files anywhere on the system. To rename a file from
an MPE group in one account to an MPE group in another
account, you must have SM capability.
Account manager capability |
|
If all objects in an account have the same GID, the
traditional MPE model remains in effect. A user having AM
capability for the account can access all of the files and
directories within the account.
It is possible for objects within an account to have
different GIDs if, for example, files are renamed or if the
GID is changed programmatically. In this case, having AM
capability will not be sufficient privilege to gain access
to those files. The GID of the user with AM has to match
the GID of the file or directory to allow access to it.
