Manualshelf

OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
551552553554555556557558559560
Chapter 24. Authorization
This chapter explains concepts related to authorization. The authenticated RPC facility
enables you to select the authorization protocol that your application uses. Among the
authorization protocols supported by the DCE Security Service for use by authenticated
RPC is DCE authorization (the default), and name-based authorization.
This chapter first discusses DCE authorization, and more particularly, DCE access
control lists (ACLs). At the end of this chapter, we also briefly discuss the name-based
authorization protocol.
24.1 DCE Authorization
The DCE authorization protocol is based in part on the UNIX file-protection model, but
is extended with ACLs. An ACL is a list of access control entries that protects an object.
Each entry in the ACL specifies a set of permissions. Usually, most of the entries in the
ACL specify a privilege attribute (such as membership in a group) and the set of
permissions that may be granted to the principal(s) that possesses that privilege attribute.
Some other entries specify a set of permissions that may mask the permission set in a
privilege attribute entry.
Every ACL is managed by an ACL manager type. An ACL manager type determines a
principal’s authorization to perform an operation on an object by reading the object’s
ACL to find the appropriate entry (or entries) that matches some privilege attribute
possessed by the principal. If the type of access requested by the principal is one of the
permissions listed in the matching entry, and assuming no applicable mask entry denies
that permission, then the ACL manager type allows the principal to perform the
requested operation. If the requested permission is not listed in the matching ACL entry,
or is denied by a mask, permission to perform the operation is denied. Permission to
perform the operation is also denied if the ACL contains no matching privilege attribute
entry.
Unlike UNIX file permissions, DCE ACLs are not limited to the protection of file system
objects such as is, files, directories, and devices. ACLs may also control access to
nonfile-system objects, such as the individual entries in a database.
124245 Tandem Computers Incorporated 241