OSF DCE Application Development Guide--Core Components

OSF DCE Application Development Guide—Core Components

• sec_login_disable_delegation()

• sec_login_set_extended_attrs( )

26.1 Identities of Principals in Delegation

The identity of principals in a delegation chain is maintained in extended privilege

attribute certiﬁcates (EPACs), as are the identities for all DCE principals. Each EPAC

contains the name and group memberships of a principal in the delegation chain and any

extended attributes that apply to the principal. The delegation chain includes an EPAC

for each member of the delegation chain.

When delegation is in use, the target server receives the delegation chain, and thus

knows the privilege attributes of the delegation chain initiator and each intermediary

(delegate) in the chain. Authorization decisions can then be made based on the identities

of all principals involved in the operation.

26.1.1 ACL Entry Types for Delegation

When a server’s ACL manager is presented with credentials to use as a base of an

authorization decision, the manager evaluates the privilege attributes of each principal

involved in the delegation chain. The ACL manager grants access for the requested

operation only if all principals in the delegation chain have the necessary permissions on

the object that is the eventual target of the operation.

For the initiator of the delegation chain, permission on the target object must be granted

directly using any of the following standard ACL entry types:

• user_obj

• user

• foreign_user

• group_obj

• group

• foreign_group

• foreign_other

• other_obj

• foreign_other

• any_other

• extended

For intermediaries in a delegation chain, permissions to a target object can be granted

directly to the intermediary with the standard ACL entry type previously described, or

26−2 Tandem Computers Incorporated 124245