Now let's put on our Evil Hacker from the Seventh Circle of Hell hats. If you write this to a file hcoop.net:
dom "hcoop.net" with end;
and run:
domtool hcoop.net
you should see an error message like:
hcoop.net:0.0-1.14:error: Function argument has wrong type. Expression: "hcoop.net" Actual type: string Needed type: your_domain
What this is saying is that you are only allowed to use dom with domains that you are allowed to configure. You tried to configure hcoop.net, which is not one of those domains, and so is treated like an arbitrary string (sequence of characters). The type checker has saved the day, and the Evil Hacker is prevented from mucking with hcoop.net configuration.
How exactly does DomTool determine which domains you're allowed to configure? It uses a general permissions system based on access control lists. You can list all of your permissions by running:
domtool-admin perms
You should see output like this:
Permissions for you: domain: you.com you.net you.org path: /afs/hcoop.net/user/y/yo/you user: you
where you stands for your username. The domain list gives the Internet domains to which you've been granted configuration rights. user lists the UNIX users as whom you may run programs, and path gives the filesystem paths that you're allowed to reference in your configurations. You have rights to all subdirectories of path entries, too.
You might like to perform some other queries on the permissions database, too. For instance, you might like to know which member owns someone.com. You could run:
domtool-admin whohas domain someone.com
and hopefully get back a reply like:
whohas domain / someone.com: someone
In general, running
domtool-admin whohas $CLASS $VALUE
will list every user who has $VALUE in the $CLASS row of his permissions table.