When a server's ACL manager is presented with credentials to use as a base of an authorization decision, the manager evaluates the privilege attributes of each principal involved in the delegation chain. The ACL manager grants access for the requested operation only if all principals in the delegation chain have the necessary permissions on the object that is the eventual target of the operation.
For the initiator of the delegation chain, permission on the target object must be granted directly using any of the following standard ACL entry types:
· user_obj
· user
· foreign_user
· group_obj
· group
· foreign_group
· foreign_other
· other_obj
· foreign_other
· any_other
· extended
For intermediaries in a delegation chain, permissions to a target object can be granted directly to the intermediary with the standard ACL entry type previously described, or permissions can be granted by delegate ACL entries. Delegate ACL entries grant permissions to principals only if they are acting as delegates. The following delegate ACL entry types are available:
· user_obj_delegate
· user_delegate
· foreign_user_delegate
· group_obj_delegate
· group_delegate
· foreign_group_delegate
· foreign_other_delegate
· other_obj_delegate
· foreign_other_delegate
· any_other_delegate
Note that, to perform an operation, all delegates in the chain must have the appropriate permissions. For example, assume a delegation chain consists of Principal A (the initiator) and Principal's B and C (the intermediaries). To perform the operation, the delegation chain requires Mrw permissions on Server X. One way of granting these permission is to grant them directly to each member of the delegation chain, as shown in the following:
user:Principal A:Mrw
user:Principal B:Mrw
user:Principal C:Mrw
Providing access directly also allows each intermediary in the chain to perform the operation of their own initiative, a consequence that may or may not be desired. To specify that Principals B and C may only be intermediaries operating on behalf of an authorized initiating principal without granting them the ability to perform the operation on their own, use delegation entries. In this case, the Server X's ACL would contain the following entries:
user:Principal A:Mrw
user_delegate:Principal B:Mrw
user_delegate:Principal C:Mrw