ACL Entry Types for Delegation

For the initiator of the delegation chain, permission on the target object must be granted directly using any of the following standard ACL entry types:

· user_obj

· user

· foreign_user

· group_obj

· group

· foreign_group

· foreign_other

· other_obj

· foreign_other

· any_other

· extended

For intermediaries in a delegation chain, permissions to a target object can be granted directly to the intermediary with the standard ACL entry type previously described, or permissions can be granted by delegate ACL entries. Delegate ACL entries grant permissions to principals only if they are acting as delegates. The following delegate ACL entry types are available:

· user_obj_delegate

· user_delegate

· foreign_user_delegate

· group_obj_delegate

· group_delegate

· foreign_group_delegate

· foreign_other_delegate

· other_obj_delegate

· foreign_other_delegate

· any_other_delegate

Note that, to perform an operation, all delegates in the chain must have the appropriate permissions. For example, assume a delegation chain consists of Principal A (the initiator) and Principal's B and C (the intermediaries). To perform the operation, the delegation chain requires Mrw permissions on Server X. One way of granting these permission is to grant them directly to each member of the delegation chain, as shown in the following:

user:Principal A:Mrw

user:Principal B:Mrw

user:Principal C:Mrw

Providing access directly also allows each intermediary in the chain to perform the operation of their own initiative, a consequence that may or may not be desired. To specify that Principals B and C may only be intermediaries operating on behalf of an authorized initiating principal without granting them the ability to perform the operation on their own, use delegation entries. In this case, the Server X's ACL would contain the following entries:

user:Principal A:Mrw

user_delegate:Principal B:Mrw

user_delegate:Principal C:Mrw