The intercell action field of the schema entry specifies the action that should be taken by the privilege server when reading attributes from a foreign cell. This field can contain one of three values:
· sec_attr_intercell_act_accept
To accept the foreign attribute instance
· sec_attr_intercell_act_reject
To reject the foreign attribute instance
· sec_attr_intercell_act_evaluate
To call a remote trigger server to determine how the attribute instance should be handled
When the privilege server generates a PTGT for a foreign principal, it retrieves the list of attributes from the foreign principal's EPAC.
These attributes instances may be attached to the principal object itself or attached to the group or organization object associated with the principal object.
The privilege server then checks the local attribute schema for attribute types with UUIDs that match the UUIDs of the attribute instances from the foreign cell that are contained in the EPAC. At this point, the privilege server takes one of the following two actions:
1. If the privilege server cannot find a matching attribute type in the local attribute schema, it checks the unknown_intercell_action attribute on the policy object. If the unknown_intercell_action attribute is set to
· sec_attr_intercell_act_accept, the foreign attribute instance is retained and included in the EPAC generated for the object by the privilege server.
· sec_attr_intercell_act_reject, the foreign attribute is discarded.
Note: The unknown_intercell_action attribute must be created by the system administrator and attached to the policy object. The attribute type, which takes the same values as the intercell_action field, has the following characteristics:
Name: unknown_intercell_action
Attribute UUID:
171e0ef2c-d12e-11cc-bb7b-080009353559
Encoding: sec_attr_encoding_integer
ACL manager set: policy_acl_mgr
Unique: false
Multivalued: false
Reserved: true
Comment text: Flag indicating whether to accept or reject foreign attributes for which no schema entry exists
2. If the privilege server finds a matching attribute type in the local attribute schema, it retrieves the attribute. The action it now takes depends on the setting of the attribute type's intercell action field and unique flag as follows:
· If the intercell action field is set to sec_attr_intercell_act_accept and
- The unique flag is not set on, the privilege server includes the foreign attribute instance in the principal's EPAC.
- The unique flag is set on, the privilege server includes the foreign attribute instance in the principal's EPAC only if the attribute instance value is unique among all instances of the attribute type within the local cell.
Note: If the unique attribute type flag is set on and a query trigger exists for a given attribute type, the intercell action field cannot be set to sec_attr_intercell_act_accept because, in this case, only the query trigger server can reasonably perform a uniqueness check.
· If the intercell action field is set to sec_attr_intercell_act_reject, the privilege server unconditionally discards the foreign attribute instance.
· If the intercell action field is set to sec_attr_intercell_act_evaluate, the privilege server makes a remote sec_attr_trig_intercell_avail( ) call to an attribute trigger by using the binding information in the local attribute type schema entry. The remote attribute trigger decides whether to retain, discard, or map the attribute instance to another value(s). The privilege server includes the values returned by the attribute trigger in the sec_attr_trig_query( ) call output array in the principal's EPAC.