As in the cases of so many fancy systems, DomTool has its own notion of access control lists relevant to the resources it controls. The ACL data is serialized to $DOMTOOL/acl, though it is usually accessed via in-memory data structures in the different DomTool tools, after they read initial values from that file.
There's nothing novel or surprising about ACLs in DomTool. The ACL list is essentially a set of user/class/value triples. Users are DomTool principals as discussed in the last section. Classes include things like domain configuration rights, rights to run programs as particular UNIX users, rights to use particular filesystem paths, etc.. Values are class-specific capabilities, like the name of a domain that the user may configure.
1. Standard ACL classes
user: As which UNIX users may this principal run programs?
group: With which UNIX groups may this principal run programs?
path: Which filesystem directories is this principal allowed to reference in his configuration? Subdirectories of these are also allowed.
domain: Which Internet domain names may this principal configure?
cert: Which SSL certificates may this principal use?
cacert: Which intermediate CA certificates may this principle use?
priv: What kinds of admin actions may this principal perform? Useful values include:
all: Let the principal do whatever he asks. This privilege is required for administration of the ACL database itself.
dns: The principal may configure DNS settings on servers whose DNS daemons are off-limits to normal members.
mail: The principal may configure mail settings on servers whose mail daemons are off-limits to normal members.
www: The principal may configure web settings on servers whose web daemons are off-limits to normal members.
regen: The principal may run domtool-admin regen to reload all domain configuration from scratch.