Overview - The Extended Privilege Attribute API

In a simple client/server distributed environment, most operations involve two principals: the initiator of the operation and the target of the operation. The target of the operation makes authorization decisions based on the identity of the initiator. However, in distributed object-oriented environments, there is frequently a need for server principals to perform operations on behalf of a client principal. In these cases, it may not be enough for authorization decisions to be based simply on the identity of the initiator since the initiator of the operation may not be the principal that requests the operation.

To handle these cases, the EPA API provides routines that allow principals to operate on objects on behalf of (as delegates of) an initiating principal. The collection of the delegation initiator and the intermediaries is referred to as a delegation chain.

Using the EPA API and related sec_login_*( ) calls, an application may be written that allows client Principal A to invoke an operation on server Principal C via server Principal B. The DCE Security Service will know the true initiator of the operation (Principal A) and can distinguish the delegated operation from the same operation invoked directly by Principal A.

The EPA interface consists of the security credential calls (sec_cred_*( )) that extract privilege attributes and authorization data from an opaque binding handle to authenticated credentials. In addition, the following sec_login_*( ) calls of the login API are used to establish delegation chains and to perform other delegation related functions.

· sec_login_become_initiator( )

· sec_login_become_delegate( )

· sec_login_become_impersonator( )

· sec_login_cred_get_delegate( )

· sec_login_cred_get_initiator( )

· sec_login_cred_initialize_cursor( )

· sec_login_disable_delegation( )

· sec_login_set_extended_attrs( )