In the multicell environment, the global print string representation of a principal identity can be ambiguous, even though every principal and its native cell have unique names in the form of UUIDs to which the print string representations normally resolve. For example, all ACLs maintain UUIDs as the definitive representations of principal and cell names. The acl_edit tool, on the other hand, takes as input (and also outputs) this same information as printstrings. This string-to-UUID mapping is accomplished easily enough when an ACL entry refers to a local identity; that is, a member of the local cell. However, when a user adds an ACL entry for a foreign principal identity such as /.../world/dce/rd/writers/tom, it is not evident to the ACL manager which part of the name identifies the cell, and which identifies the principal within the cell. The name /.../world/dce may refer to a cell containing the principal /rd/writers/tom, or the cell name may be /.../world/dce/rd and the principal name /writers/tom.
To parse the fully qualified principal name that the user types into its cell name and local principal-name components, and for these components to be mapped to UUIDs, ACL managers that support entries for foreign identities use the ID map API. For the same reasons, many other kinds of servers in a DCE multicell environment need a facility to parse global names and translate UUIDs into printstring names.
The ID map API provides a simple interface to translate a fully qualified name (that is, the global representation of a name) into its components and back again. This API consists of the following calls:
· The sec_id_parse_name( ) call takes as input a registry context handle and a fully qualified principal name, and returns the principal's print string name and UUID, and the printstring name and UUID of the principal's native cell.
· The sec_id_gen_name( ) call translates a principal UUID and the UUID of its native cell UUID into a cell-relative principal name, a cell name, and a fully qualified principal name.
· The sec_id_parse_group( ) call is like sec_id_parse_name( ), except that it operates on group names.
· The sec_id_gen_group( ) call is like sec_id_gen_name( ), except that it operates on group names.