PreviousNext

Types of Delegation

When a client application calls sec_login_become_initiator( ) to enable delegation, that application specifies the type of delegation that should be enabled. The delegation type can be any of the following:

· Traced Delegation

Includes the identities of all members of the delegation chain in the credentials used for authorization. To become an intermediary in a traced delegation chain, server principals use the sec_login_become_delegate( ) call.

Note that ACLs on objects that are targets of traced delegation must grant the requested permission (or delegate permission) to each member of the delegation chain.

· Impersonation

Includes only the identity of the initiator of the delegation chain used for authorization. All intermediaries "impersonate'' the delegation initiator. To become an impersonator, principals use the sec_login_become_impersonator( ) call.

Note that ACLs on objects that are targets of impersonation need list only the delegation initiator, not each delegate in the chain.

Generally, traced delegation is the preferred method. The high degree of location transparency inherent in simple delegation greatly increases the risk of a client being compromised by a Trojan horse application.

When server principals run the sec_login_become_delegate( ) or sec_login_become_impersonator( ) call to become an intermediary in a delegation chain, they must also specify the delegation type as input to the call. The type they specify must be the same type as the delegation type specified by the initiator of the chain (unless they specify no delegation).