Authorization (AZN) API
Copyright © 2000 The Open Group

Frontmatter

Open Group Technical Standard
Authorization (AZN) API
Document Number: C908
ISBN: 1-85912-266-3

©January 2000, The Open Group All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the copyright owners.

Any comments relating to the material contained in this document may be submitted to The Open Group at:

The Open Group
Apex Plaza
Forbury Road
Reading
Berkshire, RG1 1AX
United Kingdom

or by electronic mail to:

OGSpecs@opengroup.org

Preface

The Open Group

The Open Group is a vendor and technology-neutral consortium which ensures that multi-vendor information technology matches the demands and needs of customers. It develops and deploys frameworks, policies, best practices, standards, and conformance programs to pursue its vision: the concept of making all technology as open and accessible as using a telephone.

The mission of The Open Group is to deliver assurance of conformance to open systems standards through the testing and certification of suppliers' products.

The Open group is committed to delivering greater business efficiency and lowering the cost and risks associated with integrating new technology across the enterprise by bringing together buyers and suppliers of information systems.

Membership of The Open Group is distributed across the world, and it includes some of the world's largest IT buyers and vendors representing both government and commercial enterprises.

More information is available on The Open Group Web Site at http://www.opengroup.org.

Open Group Publications

The Open Group publishes a wide range of technical documentation, the main part of which is focused on development of Technical and Product Standards and Guides, but which also includes white papers, technical studies, branding and testing documentation, and business titles. Full details and a catalog are available on The Open Group Web Site at http://www.opengroup.org/pubs.

Product Standards
A Product Standard is the name used by The Open Group for the documentation that records the precise conformance requirements (and other information) that a supplier's product must satisfy. Product Standards, published separately, refer to one or more Technical Standards.
The "X" Device is used by suppliers to demonstrate that their products conform to the relevant Product Standard. By use of the Open Brand they guarantee, through the Open Brand Trademark License Agreement (TMLA), to maintain their products in conformance with the Product Standard so that the product works, will continue to work, and that any problems will be fixed by the supplier. The Open Group runs similar conformance schemes involving different trademarks and license agreements for other bodies.
Technical Standards (formerly CAE Specifications)
Open Group Technical Standards, along with standards from the formal standards bodies and other consortia, form the basis for our Product Standards (see above). The Technical Standards are intended to be used widely within the industry for product development and procurement purposes.
Technical Standards are published as soon as they are developed, so enabling suppliers to proceed with development of conformant products without delay.
Anyone developing products that implement a Technical Standard can enjoy the benefits of a single, widely supported industry standard. Where appropriate, they can demonstrate product compliance through the Open Brand.
CAE Specifications
CAE Specifications and Developers' Specifications published prior to January 1998 have the same status as Technical Standards (see above).
Preliminary Specifications
Preliminary Specifications have usually addressed an emerging area of technology and consequently are not yet supported by multiple sources of stable conformant implementations. There is a strong preference to develop or adopt more stable specifications as Technical Standards.
Consortium and Technology Specifications
The Open Group has published specifications on behalf of industry consortia. For example, it published the NMF SPIRIT procurement specifications on behalf of the Network Management Forum (now TMF). It also published Technology Specifications relating to OSF/1, DCE, OSF/Motif, and CDE.

In addition, The Open Group publishes Product Documentation. This includes product documentation-programmer's guides, user manuals, and so on-relating to the DCE, Motif, and CDE. It also includes the Single UNIX Documentation, designed for use as common product documentation for the whole industry.

Versions and Issues of Specifications

As with all live documents, Technical Standards and Specifications require revision to align with new developments and associated international standards. To distinguish between revised specifications which are fully backwards compatible and those which are not:

A new Version indicates there is no change to the definitive information contained in the previous publication of that title, but additions/extensions are included. As such, it replaces the previous publication.
A new Issue indicates there is substantive change to the definitive information contained in the previous publication of that title, and there may also be additions/extensions. As such, both previous and new documents are maintained as current publications.

Corrigenda

Readers should note that Corrigenda may apply to any publication. Corrigenda information is published on The Open Group Web Site at http://www.opengroup.org/corrigenda.

Ordering Information

Full catalog and ordering information on all Open Group publications is available on The Open Group Web Site at http://www.opengroup.org/pubs.

This Document

This document is a Technical Standard.

A generally accepted definition of Authorization is "the granting of access rights to a subject - for example, a user, or a program." Within this definition, we need to distinguish between the administrative act of asserting that a subject should be granted access rights (which we define as a "set of privilege attributes"), and the operational (control) act of allowing a subject to access a resource after determining that they hold the required set of privilege attributes.

This Technical Standard defines a generic application programming interface (API) for access control, in systems whose access control facilities conform to the architectural framework described in International Standard ISO 10181-3 (Access Control Framework).

The API defined in this document does not provide for privilege attribute administration, although it does provide facilities which allow a subject to control which of its privilege attributes are used to authorize a particular access request (such facilities are often called "least privilege").

Typographical Conventions

The following typographical conventions are used throughout this document:

Bold font is used in text for options to commands, filenames, keywords, type names, data structures, and their members.
Italic strings are used for emphasis or to identify the first instance of a word requiring definition. Italics in text also denote:
- Command operands, command option-arguments, or variable names; for example, substitutable argument prototypes
- Environment variables, which are also shown in capitals
- Utility names
- External variables, such as errno
- Functions; these are shown as follows: name(); names without parentheses are C external variables, C function family names, utility names, command operands, or command option-arguments.
Normal font is used for the names of constants and literals.
The notation <file.h> indicates a header.
The notation [EABCD] is used to identify an error value EABCD.

Trademarks

Motif®, OSF/1®, UNIX®, and the "X Device" are registered trademarks and IT DialTone^TM; and The Open Group^TM; are trademarks of The Open Group in the U.S. and other countries.

Acknowledgements

The Open Group gratefully acknowledges the the work of DASCOM Inc. in developing this specification. In particular, the main authors from DASCOM Inc. are:

Bob Blakley
Warwick Burrows
Greg Clark
Adam Murdoch
Frank Siebenlist

Members of The Open Group Security Program Group have contributed to this specification by reviewing drafts. In particular, thanks are due to the representatives from the following companies:

Hewlett-Packard Company
IBM Corporation
Sun Microsystems, Inc.
Entrust Technologies
Baltimore Technologies

Referenced Documents

The following documents are referenced in this Technical Standard:

ACF: Access Control Framework for Distributed Applications, draft-ietf-cat-acc-frmw-01.txt, 11/17/1998.
AZN_Rqts: Authorization Service API Requirements, Draft 0.3, The Open Group Security Program Group, 10/16/1998.
COS: CORBA Services: Common Object Services Specification, Chapter 15: Security Service Specification, OMG.
DCE_DSS: CAE Specification, August 1997, DCE 1.1: Authentication and Security Services (C311), published by The Open Group.
GAA: Generic Authorization and Access control Application Program Interface, C bindings, draft-ietf-cat-gaa-cbind-01.txt, 11/1998.
ISO/IEC 7498-2: The ISO Security Architecture, ISO/IEC 7498.2.
ISO/IEC 10181-3: The Access Control Framework, ISO/IEC 10181-3.
RFC1508: Generic Security Service API, IETF-RFC 1508, J. Linn, 9/1993.
RFC1509: Generic Security Service API: C-bindings, IETF-RFC 1509, J. Wray, 9/1993.
UTF-8: UTF-8, a transformation format for Unicode and ISO 10646, ietf-rfc 2044, October 1996.
XDAS: Preliminary Specification, January 1997, Distributed Audit Service (XDAS) (ISBN: 1-85912-139-X, P441), published by The Open Group.
XGSS: Extended Generic Security Service APIs: XGSS-APIs, Access control and delegation extensions, draft-ietf-cat-xgssapi-acc-cntrl-03.txt, 11/09/1998.

Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents

Next section

Index