VMS Help  —  DCE  DCE_SECURITY, API Routines, rdacl_test_access_on_behalf
 NAME
   rdacl_test_access_on_behalf - Tests access to an object on behalf of
                                 another process

 SYNOPSIS

 #include <dce/rdaclif.h>

 boolean rdacl_test_access_on_behalf(
         handle_t h,
         sec_acl_component_name_t component_name,
         uuid_t *manager_type,
         sec_id_pac_t *subject,
         sec_acl_permset_t desired_permset,
         error_status_t *status);

 PARAMETERS

 Input

 h      A handle referring to the target object.

 component_name
        A character string containing the name of the target object.

 manager_type
        A pointer to the UUID identifying the type of the ACL manager in
        question. There may be more than one type of ACL manager
        protecting the object whose ACL is bound to the input handle.
        Use this parameter to distinguish them.  Use
        sec_acl_get_manager_types() to acquire a list of the manager
        types protecting a given object.

 subject
        A Privilege Attribute Certificate (PAC) for the subject process.
        The PAC contains the name and UUID of the principal and parent
        cell of the subject process, as well as a list of any groups to
        which it belongs.  The PAC also contains a flag (named
        authenticated).  When set, it indicates that the certificate was
        obtained from an authenticated source.  When not set, the
        certificate must not be trusted.  (The field is FALSE when it was
        obtained from the rpc_auth layer and the protect level was set to
        rpc_c_protect_level_none.  This indicates that no authentication
        protocol was actually used in the remote procedure call; the
        identity was simply transmitted from the caller to the callee.
        If an authentication protocol was used, then the flag is set to
        TRUE.) A server uses rpc_binding_inq_auth_client() to acquire a
        certificate for the client process.

 desired_permset
        A permission set in sec_acl_permset_t form containing the desired
        privileges.  This is a 32-bit set of permission flags supported
        by the manager type.

 Output

 status
        A pointer to the completion status.  On successful completion,
        the routine returns error_status_ok.  Otherwise, it returns an
        error.

 DESCRIPTION

 The rdacl_test_access_on_behalf() routine determines if the specified
 ACL contains entries granting privileges to the subject, a process
 besides the calling process, matching those in desired_permset.  This
 routine succeeds only if the access is available to both the caller
 process as well as the subject identified in the call. An application
 will generally only inquire after the minimum set of privileges needed
 to accomplish a specific task.

 NOTES

 This call is not intended to be used by application programs.  The
 sec_acl Application Programming Interface (API) provides all the
 functionality necessary to use the ACL facility. This reference page
 is provided for programmers who wish to write an ACL manager. In order
 to write an ACL manager, a programmer must implement the entire rdacl
 interface.

 This network interface is called on the client side via the sec_acl
 local interface. Developers are responsible for implementing the server
 side of this interface. Test server code is included as a sample
 implementation.

 FILES
   SYS$COMMON:[DCE$LIBRARY]RDACLIF.IDL
              The idl file from which dce/rdaclif.h was derived.

 ERRORS

 sec_acl_unknown_manager_type
              The manager type selected is not an available option.

 error_status_ok
              The call was successful.

 RELATED INFORMATION

 Functions: sec_intro
            rdacl_test_access
            rpc_binding_inq_auth_client
Close Help