In this step, the server's ACL manager inspects the ACL of the resource (object) under question, determines whether the client is authorized for the requested access, and takes the appropriate action.
The application may choose to implement more than one type of ACL (reflecting the different kinds of objects and resources to be protected), thus resulting in several ACL type managers.
Although it is up to the application to implement its own ACL storage, testing algorithms and manager types, there are certain DCE-wide design conventions that should be kept in mind and departed from only for good reason. Among these are the following:
· Standard DCE ACL entry types: the kinds of entry that can occur in an ACL (for example, user, group, and so on).
· Standard privileges: the kinds of access that a principal can have to a protected object (for example, read, write, and so on).
· Standard inheritance rules: these rules govern the default characteristics of ACLs created for newly created objects.
· Standard access algorithm: the order in which a client's credentials are matched against the various possible entry types.
Information about these topics for application developers designing their own ACL model can be found in the OSF DCE Application Development Guide - Core Components, in which all the DCE authorization conventions are described in detail.