OSF DCE Application Development Guide--Core Components

OSF DCE Application Development Guide—Core Components

with this part:

— dce_acl_resolve_by_name( )

Finds an ACL’s UUID, given an object’s name.

— dce_acl_resolve_by_uuid()

Finds an ACL’s UUID, given an object’s UUID.

31.3.2.2.1 Initialization Routines

An ACL manager must ﬁrst deﬁne the types of the objects it manages. For example, a

simple directory service would have directories and entries, and each type of object

would have a different ACL manager. On a practical level, if a server has different types

of objects, then the most common difference between the ACL managers is the printed

representation of its permission bits. In other words, although the sec_acl_printstring_t

values differ, the algorithm for evaluating permissions remains the same.

The ACL library provides a global print string that speciﬁes the read, write, and control

bits. Application developers are encouraged to use this print string whenever

appropriate.

An ACL manager calls the dce_acl_register_object_type( ) routine to register an object

type, once for each type of object that the server manages. The manager print string

does not deﬁne any permission bits; they are set by the library to be the union of all

permissions in the ACL print string.

The server must register the rdacl_*() interface with the RPC runtime and with the

endpoint mapper. See the dce_server_register(3dce) reference page.

31.3.2.2.2 Server Queries

The ACL library provides several routines to automate the most common use of DCE

ACLs:

• dce_acl_is_client_authorized()

Checks whether a client’s credentials are authenticated and, if so, that they grant the

desired access.

• dce_acl_inq_client_permset( )

Returns the client’s permissions, corresponding to an ACL.

• dce_acl_inq_client_creds( )

Returns the client’s credentials.

• dce_acl_inq_permset_for_creds( )

Determines a client’s complete extent of access to an object.

31−8 Tandem Computers Incorporated 124245