This step is reached if the client requests access to any object, resource, or service that is managed by the server, to which ACLs are attached. As previously mentioned, the application must implement its own ACL manager if it wants to use ACLs to control access to its resources. For further details on how to go about creating an ACL manager, see Security.
In order to allow applications to as easily as possible offer an ACL interface that is uniform with that used by the DCE components themselves, the remote ACL interface has been built into the DCE library, and client applications can perform operations on ACLs through another interface, also part of the DCE library, which calls through the remote interface to the appropriate manager. The remote interface, consisting of rdacl_*( ) calls, must be implemented by the server application; clients execute the local sec_acl_*( ) routines, which are linked to every DCE application as part of libdce.
For the client, all that is necessary is to possess a binding to the object whose ACL is to be operated on. As long as the application exposes the resources it manages as accessible objects (via the namespace), then the DCE ACL interface provides for a client's being able to bind to the object by calling sec_acl_bind( ). (In fact, this kind of object-oriented binding model can be very useful, and is discussed in further detail in Binding.) Note that the sec_acl_*( ) routines use an ACL handle to specify the object whose ACL is to be accessed, so sec_acl_bind( ) must always be called to obtain this handle, even if the client is already bound to the object's server.
There is a user interface into the ACL operations, embodied in the acl_edit command. For further information, see the OSF DCE Command Reference.
Server applications can use the DCE ACL library routines to implement ACL managers. The DCE ACL library is an implementation of the remote ACL (rdacl) interface, designed in such a way as to allow any DCE application to use it instead of having to implement the interface itself. In DCE 1.0, applications that wished to use the DCE ACL functionality had to implement the full remote interface themselves; in DCE 1.1 this is no longer necessary. For further information, see Security.