Manualshelf

OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
561562563564565566567568569570
OSF DCE Application Development Guide—Core Components
If the requested permission is granted, the ACL manager then checks the permissions
granted to the delegates in the chain. This checking is similar to the standard access-
check algorithm, but it takes into account any additional delegate permissions granted to
the delegates. If the requested permission is not granted to all delegates, access is denied.
If the requested permission is granted to all delegates, access is granted.
26.2 Calls to Establish Delegation Chains
The following sec_login_*()API calls set up a delegation chain:
sec_login_become_initiator()
Enables delegation for a client. The principal that executes this call is known as the
delegation initiator.
sec_login_become_delegate( ), sec_login_become_impersonator( )
Cause an intermediate server to become a delegate in a delegation chain. The
principals that execute these calls are known as intermediaries in the delegation
chain.
The sec_login_become_delegate() call should be used if the traced delegation has been
enabled. The sec_login_become_impersonator() call should be used if simple
delegation has been enabled. See Section 26.2.1 for more information about delegation
types.
The following subsections describe the information supplied to the calls that establish
delegation chains.
26.2.1 Types of Delegation
When a client application calls sec_login_become_initiator( ) to enable delegation, that
application specifies the type of delegation that should be enabled. The delegation type
can be any of the following:
Traced Delegation
Includes the identities of all members of the delegation chain in the credentials used
for authorization. To become an intermediary in a traced delegation chain, server
principals use the sec_login_become_delegate( ) call.
Note that ACLs on objects that are targets of traced delegation must grant the
requested permission (or delegate permission) to each member of the delegation
chain.
Impersonation
mIncludes only the identity of the initiator of the delegation chain used for
authorization. All intermediaries ‘‘impersonate’’ the delegation initiator. To become
an impersonator, principals use the sec_login_become_impersonator( ) call.
264 Tandem Computers Incorporated 124245