Novell NETWARE 6-DOCUMENTATION Manual page 2020

Authorization Statements
The following example uses SSL as the authentication method for users and
groups:
authenticate (user, group) {
method = ssl;
};
Any allow or deny statements must match the lists you specify in the
authenticate line. If the line says authenticate (user), the allow or deny line
must also specify users. The following example allows any user whose
username begins with the letters sales:
authenticate (user)
allow (all)
user = sales*
If the last line was changed to group = sales, then the ACL would fail because
there are no groups in the user lists.
Each ACL entry can include one or more authorization statements, which
specify who is allowed or denied access to a server resource. Use the
following syntax when writing authorization statements:
allow|deny [absolute] (right[,right...]) attribute qualifier
expression;
Start each line with either allow or deny. It's usually a good idea to deny access
to everyone in the first rule or command you enter and then specifically allow
access for users, groups, or computers in subsequent rules. This is because of
the hierarchy of rules.
For example, if you allow anyone access to a directory called MY_STUFF,
then you have a subdirectory MY_STUFF/PERSONAL that allows access to
a few users. The access control on the subdirectory won't work because
anyone allowed access to the MY_STUFF directory will also be allowed
access to the MY_STUFF/PERSONAL directory. To prevent this, create a
rule for the subdirectory that first denies access to anyone and then allows it
for the few users who need access.
However, in some cases, if you set the default ACL to deny access to
everyone, then your other ACL rules don't need a Deny All rule.
The following line denies access to everyone:
deny (all)
user = "anyone";
Understanding ACL Files
91