When a principal calls sec_login_become_initiator( ) to enable delegation, or sec_login_become_delegate( ) or sec_login_become_impersonator( ) to become an intermediary, the principal can specify optional and required restrictions. Optional and required restrictions are provided for use by applications that have specific authorization requirements. These restrictions, which are defined by the application, can be set by initiators or intermediaries, and are interpreted and enforced by application target servers. Servers can ignore optional restrictions that they cannot interpret, but they must reject requests associated with a required restriction that they cannot interpret. Both optional and required restrictions are supplied as values of type sec_id_opt_req_t. They are inserted in an EPAC by the privilege server and evaluated by the target server application.