OSF DCE Application Development Guide--Core Components

The Extended Privilege Attribute API

permissions can be granted by delegate ACL entries. Delegate ACL entries grant

permissions to principals only if they are acting as delegates. The following delegate

ACL entry types are available:

• user_obj_delegate

• user_delegate

• foreign_user_delegate

• group_obj_delegate

• group_delegate

• foreign_group_delegate

• foreign_other_delegate

• other_obj_delegate

• foreign_other_delegate

• any_other_delegate

Note that, to perform an operation, all delegates in the chain must have the appropriate

permissions. For example, assume a delegation chain consists of Principal A (the

initiator) and Principal’s B and C (the intermediaries). To perform the operation, the

delegation chain requires Mrw permissions on Server X. One way of granting these

permission is to grant them directly to each member of the delegation chain, as shown in

the following:

user:Principal A:Mrw

user:Principal B:Mrw

user:Principal C:Mrw

Providing access directly also allows each intermediary in the chain to perform the

operation of their own initiative, a consequence that may or may not be desired. To

specify that Principals B and C may only be intermediaries operating on behalf of an

authorized initiating principal without granting them the ability to perform the operation

on their own, use delegation entries. In this case, the Server X’s ACL would contain the

following entries:

user:Principal A:Mrw

user_delegate:Principal B:Mrw

user_delegate:Principal C:Mrw

26.1.2 ACL Checking for Delegation

To determine permissions, the ACL manager ﬁrst uses the standard access-check

algorithm (described in Chapter 24) to determine the permissions to grant to the

delegation initiator. If the requested permission is not granted, access is denied.

124245 Tandem Computers Incorporated 26−3