OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

591

592

593

594

595

596

597

598

599

600

OSF DCE Application Development Guide—Core Components

attributes for which no schema entry exists

2. If the privilege server ﬁnds a matching attribute type in the local attribute schema,

it retrieves the attribute. The action it now takes depends on the setting of the

attribute type’s intercell action ﬁeld and unique ﬂag as follows:

• If the intercell action ﬁeld is set to sec_attr_intercell_act_accept and

— The unique ﬂag is not set on, the privilege server includes the foreign

attribute instance in the principal’s EPAC.

— The unique ﬂag is set on, the privilege server includes the foreign attribute

instance in the principal’s EPAC only if the attribute instance value is

unique among all instances of the attribute type within the local cell.

Note: If the unique attribute type ﬂag is set on and a query trigger

exists for a given attribute type, the intercell action ﬁeld cannot

be set to sec_attr_intercell_act_accept because, in this case,

only the query trigger server can reasonably perform a

uniqueness check.

• If the intercell action ﬁeld is set to sec_attr_intercell_act_reject, the

privilege server unconditionally discards the foreign attribute instance.

• If the intercell action ﬁeld is set to sec_attr_intercell_act_evaluate, the

privilege server makes a remote sec_attr_trig_intercell_avail() call to an

attribute trigger by using the binding information in the local attribute type

schema entry. The remote attribute trigger decides whether to retain, discard,

or map the attribute instance to another value(s). The privilege server includes

the values returned by the attribute trigger in the sec_attr_trig_query() call

output array in the principal’s EPAC.

28.1.3.5 Attribute Scope

The scope ﬁeld controls the objects to which the attribute can be be attached. If scope is

deﬁned, the attribute can be attached only to objects deﬁned by the scope. For example,

if the scope for a given attribute type is deﬁned as the directory name /principal/krbgt,

instances of that attribute type can be attached only to objects in the /principal/krbgt

directory (a directory that by convention contains only cell principals). If the scope is

narrowed by fully specifying an object in the /principal/krbgt directory (for example,

/principal/krbgt/dresden.com) then the attribute can be attached only to the

dresden.com principal.

28.1.3.6 Trigger Type Flag

The schema entry trigger type ﬂag speciﬁes whether the trigger server associated with

the attribute type is invoked for update or query operations. See Section 28.4 for more

information on attribute triggers.

28−8 Tandem Computers Incorporated 124245