Previous section.

DCE 1.1: Authentication and Security Services
Copyright © 1997 The Open Group

NAME

sec_acl_test_access_on_behalf-Determine whether a specified "third-party" subject (not necessarily the calling client) has permission to access a protected object.

SYNOPSIS

#include <dce/daclif.h>

boolean32 sec_acl_test_access_on_behalf(
    sec_acl_handle_t prot_obj_handle,
    uuid_t *manager_type,
    sec_id_pac_t *subject_pac,
    sec_acl_permset_t access_rights,
    error_status_t *status);

PARAMETERS

Input

prot_obj_handle

Handle to a protected object.

manager_type

An ACL manager type UUID of the protected object.

subject_pac

Privilege attribute certificate (PAC) of a "third-party" subject.

access_rights

Set of access rights to the protected object.

Output

status

Completion status. On successful completion, error_status_ok is returned. Otherwise, an error (!= error_status_ok) is returned.

RETURN VALUES

The boolean32 return value of this routine is valid if and only if the returned status value is error_status_ok.

This routine returns non-0 ("true") if the specified third-party subject PAC (typically obtained by rpc_binding_inq_auth_client()) grants the specified access rights to the protected object by the specified ACL manager (the calling client must also be granted some degree of "read-ACL" access to determine this-this is dependent on application security policy). It returns 0 ("false") otherwise.

DESCRIPTION

The sec_acl_test_access_on_behalf() routine determines whether or not the specified third-party subject is granted the specified access rights to the specified protected object by the specified ACL manager.

NOTES

A client can combine this routine with sec_acl_test_access() and use the combined information to implement (a rather primitive form of) delegation (schematically characterised as: "third-party-subject (delegator) -> calling-client (delegatee) -> server").

It is anticipated that a future revision of DCE will support "true delegation", and for that reason rdacl_test_access_on_behalf() is considered obsolescent.

Implementations layer this routine over the rdacl RPC interface operation rdacl_test_access_on_behalf().

ERRORS

error_status_ok, sec_acl_unknown_manager_type.

SEE ALSO

Functions: rpc_binding_inq_auth_client(), sec_acl_bind(), sec_acl_bind_to_addr(), sec_acl_get_manager_types(), sec_acl_get_manager_types_semantics(), sec_acl_get_access(), sec_acl_test_access().

Protocols: rdacl_test_access_on_behalf().

Please note that the html version of this specification may contain formatting aberrations. The definitive version is available as an electronic publication on CD-ROM from The Open Group.

Contents Next section Index