sec_acl_test_access_on_behalf-Determine whether a specified "third-party" subject (not necessarily the calling client) has permission to access a protected object.
#include <dce/daclif.h>
boolean32 sec_acl_test_access_on_behalf(
sec_acl_handle_t prot_obj_handle,
uuid_t *manager_type,
sec_id_pac_t *subject_pac,
sec_acl_permset_t access_rights,
error_status_t *status);
Input
- prot_obj_handle
Handle to a protected object.
- manager_type
An ACL manager type UUID of the protected object.
- subject_pac
Privilege attribute certificate (PAC) of a "third-party" subject.
- access_rights
Set of access rights to the protected object.
Output
- status
Completion status. On successful completion, error_status_ok is returned. Otherwise, an error (!= error_status_ok) is returned.
The boolean32 return value of this routine is valid if and only if the returned status value is error_status_ok.This routine returns non-0 ("true") if the specified third-party subject PAC (typically obtained by
rpc_binding_inq_auth_client() ) grants the specified access rights to the protected object by the specified ACL manager (the calling client must also be granted some degree of "read-ACL" access to determine this-this is dependent on application security policy). It returns 0 ("false") otherwise.
Thesec_acl_test_access_on_behalf() routine determines whether or not the specified third-party subject is granted the specified access rights to the specified protected object by the specified ACL manager.
A client can combine this routine withsec_acl_test_access() and use the combined information to implement (a rather primitive form of) delegation (schematically characterised as: "third-party-subject (delegator) -> calling-client (delegatee) -> server").It is anticipated that a future revision of DCE will support "true delegation", and for that reason
rdacl_test_access_on_behalf() is considered obsolescent.Implementations layer this routine over the rdacl RPC interface operation
rdacl_test_access_on_behalf() .
error_status_ok, sec_acl_unknown_manager_type.
Functions:rpc_binding_inq_auth_client() ,sec_acl_bind() ,sec_acl_bind_to_addr() ,sec_acl_get_manager_types() ,sec_acl_get_manager_types_semantics() ,sec_acl_get_access() ,sec_acl_test_access() .Protocols:
rdacl_test_access_on_behalf() .
Contents | Next section | Index |