The registry database maintains three security namespaces: the principal, group, and organization (PGO) namespaces. These namespaces are distinct from the cell namespace maintained by CDS. Security names take the following form:
/.../cell_name/pgo_name
CDS names take the following form:
/.../cell_name/pathname/object_name
Since the security namespace is rooted in the CDS namespace, security names have equivalent CDS names. Thus, for example, an entry for a principal in the registry database has the first of the following forms in the security namespace and the second of the following forms in the CDS namespace:
/.../cell_name/principal_name
/.../cell_name/security_mount_point/principal/principal_name
Note: The security "mount point'' (security_mount_point as shown in the preceding syntax) is determined when DCE is configured. Therefore, the name may differ at individual sites.
There is no ambiguity about the security namespace to which a name refers because security names are always used in contexts that identify the namespace in question. For example, logging into DCE requires a principal name to be supplied.
However, an ACL is an object that is referenced not directly, but by the name of the object it protects. Since protected objects are not always security objects (and therefore may be registered only in the CDS namespace), ACL management interfaces always take CDS names rather than security names as input, whether or not it is the ACL of a security object (such as a registry database entry) that is being read or modified.