Access control point list

The Required commands section of each verb defines which bits of the ACP list, if any, control the functions of that verb. Each offset that a verb defines has a mnemonic command name. If an offset in an ACP list is B'1', the command is enabled. Otherwise, the command is disabled. Typically, when a command is enabled, the function associated with the command is permitted, provided that all other access conditions are also satisfied. However, in some cases, enabling a command disallows the function associated with the command. An offset that disallows a function has Disallow as part of its mnemonic command name.

Each ACP identifier (offset) is a two-byte integer (X'0000' - X'FFFF'). This allows addressability of 2¹⁶ (64K) bits. Only a small fraction of these addressable bits are used, so storing the entire 64K bit (8K byte) table in each role would waste memory space. Instead, the table is stored as a sparse matrix, where only the necessary bits are included.

To accomplish this, each bit map is stored as a series of one or more bit-map segments, where each can hold a variable number of bits. Each segment must start with a bit that is the high-order bit in a byte, and each must end with a bit that is the low order bit in a byte. This restriction results in segments that have no partial bytes at the beginning or end. Any bits that do not represent defined access control points must be set to zero, indicating that the corresponding function is not permitted.

The bit-map portion of each segment is preceded by a header, providing information about the segment. The header contains the following fields:

Starting bit number

The index of the first bit contained in the segment. The index of the first access control point in the table is zero (X'0000').

Ending bit number

The index of the last bit contained in the segment.

Number of bytes in segment

The number of bytes of bit-map data contained in this segment.

The entire access control point structure is comprised of a header, followed by one or more access control point segments. The header indicates how many segments are contained in the entire structure.

For a specific role, you can display the ACP segments using the panel.exe, for example:

panel.exe --show-role --role=DFLT0002

As output, you receive the specific bit list of enabled/disabled ACPs:

Showing returned ROLE DATA:

---------------------------
API CALL details:
CSUAACM [GET-ROLE ] card [DV73R354] ROLE [DFLT0002] size [215]
---------------------------
 version:    [0101]
 comment:    [System default role ]
 authstr:    [0000]
 time range: [00:00] - [00:00]
 DOW:        [fe]
 ACP Segments for role: 5
 ACP Segment [0] has [31] Bytes for bits [0x0008 - 0x00ff]
  [ 03 f0 ] << ACP bits [0x0008 - 0x0017]
  [ ff 70 ] << ACP bits [0x0018 - 0x0027]
  [ 00 20 ] << ACP bits [0x0028 - 0x0037]
  [ 01 fe ] << ACP bits [0x0038 - 0x0047]
  [ 00 19 ] << ACP bits [0x0048 - 0x0057]
  [ 00 80 ] << ACP bits [0x0058 - 0x0067]
  ...
  [ f8 fd ] << ACP bits [0x00e8 - 0x00f7]
  [ ff    ] << ACP bits [0x00f8 - 0x00ff]

 ACP Segment [1] has [31] Bytes for bits [0x0100 - 0x01f7]
  [ fe 7c ] << ACP bits [0x0100 - 0x010f]
  [ 02 03 ] << ACP bits [0x0110 - 0x011f]
  ...
  [ 00 00 ] << ACP bits [0x01e0 - 0x01ef]
  [ 00    ] << ACP bits [0x01f0 - 0x01f7]

 ACP Segment [2] has [32] Bytes for bits [0x0200 - 0x02ff]
  [ 1c 00 ] << ACP bits [0x0200 - 0x020f]
  [ 00 00 ] << ACP bits [0x0210 - 0x021f]
  ...
  [ 00 00 ] << ACP bits [0x02e0 - 0x02ef]
  [ 07 c0 ] << ACP bits [0x02f0 - 0x02ff]

 ACP Segment [3] has [16] Bytes for bits [0x0300 - 0x037f]
  [ d0 67 ] << ACP bits [0x0300 - 0x030f]
  ...
  [ 00 00 ] << ACP bits [0x0370 - 0x037f]

 ACP Segment [4] has [32] Bytes for bits [0x4000 - 0x40ff]
  [ 00 00 ] << ACP bits [0x4000 - 0x400f]
  ...
  [ 00 00 ] << ACP bits [0x40f0 - 0x40ff]