OSF DCE Application Development Guide--Core Components

The Access Control List APIs

31.3 Extended Naming of Protected Objects

The DCE ACL model supports extended naming so that ACL managers can separately

protect objects that are not registered in the cell namespace. This provides an alternative

to registering all the server’s objects with CDS. The server alone is registered, and it

contains code to identify its own objects by name. To achieve ACL protection for these

objects, the ACL manager must be able to identify the ACLs in the same way the server

identiﬁes the objects. A resolution routine provides this ability.

Figure 31-2 shows the example of a printer server that is registered with CDS, with

printers that are not. The ACL manager for the printer server uses the

dce_acl_resolve_by_name( ) resolution routine to obtain the UUIDs of the several

printers that are supported. The administrator in charge of the printers can change the

printers, their names, and their ACLs without concern for registering them with CDS.

Figure 31-2. Protection with Extended Naming

Names in Printer Server

/3rd-floor/myopia

/letterhead

/4th-floor/janis

/pen-plotter

/3rd-floor/milhaus

/.:/servers/printer

CDS Registration

When the dce_acl_register_object_type( ) routine registers an object type, it associates

a resolution routine with the object type. The ACL library provides two resolution

routines: dce_acl_resolve_by_name( ) and dce_acl_resolve_by_uuid(). Other

resolution routines can be easily written, as required.

To take advantage of extended naming, an ACL manager must register the server name,

object UUID, and rdaclif.idl interface with the CDS. (Refer to the for more

information). In addition, the ACL manager must register the object UUID and

rdaclif.idl interface with the RPC endpoint mapper (refer to the chapters concerning

RPC in Part 3 of this guide).

124245 Tandem Computers Incorporated 31−5