absolute time

A point on a time scale. For DTS, absolute time refers to the UTC standard.

abstract class

GDS: An OM class of OM object of which instances are forbidden. An abstract class typically serves to document the similarities between instances of two or more concrete classes.

Abstract Syntax Notation One (ASN.1)

A notation that both enables complicated types to be defined and also enables values of these types to be specified.

Access Control List

Access Control List (ACL): Security
: Data that controls access to a protected object. An ACL specifies the privilege attribute(s) needed to access the object and the permissions that can be granted, with respect to the protected object, to principals that possess such privilege attribute(s).

Access Control List (ACL): DFS
: The following ACL permissions are defined for file system objects:

1. read (abbreviated r): allows you to read a file or, with x, list a directory and the ACLs of its objects.

2. write (abbreviated w): allows you to modify a file or, with i, add a new object to a directory or, with d, remove an object from a directory.

3. execute (abbreviated x): allows you to execute a file or, with r, list a directory and the ACLs of its objects.

4. control (abbreviated c): allows you to modify a file's ACLs or a directory's ACLs.

5. insert (abbreviated i): with w, allows you to add a new object to a directory or, with w and d, rename an object in a directory.

6. delete (abbreviated d): with w, allows you to remove an object from a directory or, with w and i, rename an object in a directory.

Access Control List (ACL): CDS
: The following ACL permissions are defined for CDS

1. read (abbreviated r): allows a principal to look up a name and view the attribute values associated with it.

2. write (abbreviated w): allows a principal to change the modifiable attributes associated with a name, except its ACLs.

3. insert (abbreviated i): (for use with directory entries only) allows a principal to create new names in a directory.

4. delete (abbreviated d): allows a principal to delete a name from the namespace.

5. test (abbreviated t): allows a principal to test whether an attribute of a name has a particular value without being able to actually see any of the values (that is, without having read permission to the name). Test permission provides application programs with a more efficient way to verify a CDS attribute value. Rather than reading an entire set of values, an application can test for the presence of a particular value.

6. control (abbreviated c): allows a principal to modify the ACL entries associated with a name. Control permission is automatically granted to the creator of a CDS name.

7. administer (abbreviated a): (for use with directory entries only) allows a principal to issue cdscp commands that control the replication of directories.

Access Control List (ACL): GDS
: A recurring attribute of an entry for specifying the access authorization for an object. The following ACL permissions are defined for GDS:

1. MODIFY PUBLIC: specifies the user, or subtree of users, that can modify attributes classified as public attributes.

2. READ STANDARD: specifies the user, or subtree of users, that can read attributes classified as standard attributes.

3. MODIFY STANDARD: specifies the user, or subtree of users, that can modify attributes classified as standard attributes.

4. READ SENSITIVE: specifies the user, or subtree of users, that can read attributes classified as sensitive attributes.

5. MODIFY SENSITIVE: specifies the user, or subtree of users, that can modify attributes classified as sensitive attributes.

access control list entry

Data in an ACL that specifies a set of permissions. In the case of a principal or group entry, the permission set is that which can be granted to a principal having the privilege attribute specified in the entry; in the case of a mask entry, the permission set is that which masks the permission set in a principal or group entry.

access control list facility

A DCE Security facility that enables a principal's access to an object to be determined by a comparison of the principal's privileges to entries in an object's ACL.

access right

See permission.


Said of an object for which the client possesses a valid designator or handle.


An entry in the registry database that defines a principal's network identity by associating the principal with a group and optional organization, and with related account information such as the password used to authenticate a principal's identity.


See Attribute Configuration File.


See access control list.

active context handle

RPC: In RPC applications, a context handle that the remote procedure has set to a nonnull value and passed back to the calling program; the calling program supplies the active context handle in any future calls to procedures that share the same client context. See also client context, context handle.


An unambiguous name, label, or number that identifies the location of a particular entity or service. See also presentation address.

administration domain

GDS: A collection of several DSAs that share the same schema object (mastered by one of these DSAs and shadowed by all the others).

administrative domain

DFS: A collection of machines configured as the server machines necessary to be administered as a single unit. The administration is typically handled by groups of administrative users.

GDS: A collection of several DSAs that share the same schema object (mastered by one of these DSAs and shadowed by all the others).

administrative list

DFS: A file used to determine who can issue commands that affect filesets or DFS server processes. Administrative lists allow system administrators to control the security of the administrative domains in a cell. See also administrative domain, privilege required.


DFS: A logical unit of disk storage that can contain multiple DCE LFS filesets or a single UFS fileset. An aggregate is physically equivalent to a standard UNIX disk partition, but a DCE LFS aggregate supports an optimized metadata structure and a number of specialized fileset-level operations not available on standard UNIX partitions. A UFS partition exported into the global namespace is referred to as an aggregate even though it does not support the optimizations and features of a DCE LFS aggregate.

aggregate identifier

DFS: The part of the fileset representation that identifies the aggregate on the File Server machine on which the fileset is stored.


GDS: A name for a (directory) object, provided by the use of one or more alias entries in the DIT.

Security: An optional alternate name for a primary name in the registry database. Aliases and the primary name for which they are an alternate share the same UUID and UNIX ID.

alias entry

GDS: A directory entry, of object class alias, containing information used to provide an alternative name for an object.

aliased object

The object to which an alias entry refers.


RPC: Occurs when two pointers of the same operation point at the same storage.


DFS: An abstraction for referring to an open-ended address space of storage. See also vnode.

anonymous user

A user who is not entered in the directory as an object and who logs into the directory service without giving a name and password.


See Application Programming Interface.

application programming interface (API)

A set of runtime routines or system calls that allows an application program to use a particular service provided by either the operating system or another application program.

application thread

RPC: A thread of execution created and managed by application code. See also client application thread, local application thread, RPC thread, server application thread.


See Abstract Syntax Notation One.

asynchronous operation

An operation that does not of itself cause the process requesting the operation to be blocked from further use of the CPU. This implies that the process and the operation are running concurrently.


See attribute table.

at-most-once semantics

RPC: A characteristic of a procedure that restricts it to executing once, partially, or not at all--never more than once. See also idempotent semantics , broadcast semantics, maybe semantics.

atomic transaction

DFS: A transaction that happens entirely or not at all; used when partial completion of a transaction is undesirable.

attention threshold

DFS: In the scout program, the value at which the program highlights a statistic in its graphical display. Separate attention thresholds can be set for most scout statistics. See also scout.


Threads: The individual components of the attributes object. Attributes specify detailed properties about the objects to be created.


1. An IDL or ACF syntax element, occurring within [ ] (brackets), and conveying information about an interface, type, field, parameter, or operation.

2. An attribute of an entry in a name service database that stores binding, group, object, or profile information for an RPC application and identifies the entry as an RPC server entry; an NSI attribute.

DTS: A piece of information associated with a DTS entity or command. DTS has four attribute categories: characteristics, counters, identifiers, and status.

XDS: Information of a particular type concerning an object and appearing in an entry that describes the object in the DIB.

XOM: A component of an object, comprising an integer that denotes the attribute's type and an ordered sequence of one or more attribute values, each accompanied by an integer denoting the value's syntax.

attribute configuration file (ACF)

RPC: An .acf file. An optional companion to an interface definition file (an .idl file) that modifies how the DCE IDL compiler locally interprets the interface definition. See also interface definition, Interface Definition Language.

attribute configuration language

RPC: A high-level declarative language that provides syntax for attribute configuration files. See also Attribute Configuration File .

attribute encoding type

A specifier of the data format (for example, integer, string, UUID) of an attribute value.

attribute instance

An attribute type UUID and value created according to the attribute type's semantics and attached to a registry object. (Also called attribute or ERA.)

attribute schema

A collection of attribute type definitions or schema entries. (Also called schema.)

attribute schema object

See schema object.

attribute set

An attribute instance with encoding type attr_set. Its value is a list of attribute type UUIDs that identify member attributes of this set. Attribute sets are created for the purpose of efficient queries for related attributes.

attribute syntax

GDS: A definition of the set of values that attribute can assume. It includes the data type, in ASN.1, and usually one or more matching rules by which values can be compared.

attribute table (AT)

GDS: A recurring attribute of the directory schema with the description of the attribute types that are permitted.

attribute type

XDS: The component of an attribute that indicates the class of information given by that attribute. It is an Object Identifier, so it is completely unique.

XOM: Any of the various categories into which the client dynamically groups values on the basis of their semantics. It is an integer unique only within the package.

Security: The description of the identifiers (such as name and UUID) and semantics (such as encoding type and access control parameters) of instances of this type.

attribute value

XDS: A particular instance of the class of information indicated by an attribute type.

XOM: An atomic information object.

Security: The data in an attribute instance.

attribute value assertion (AVA)

GDS: A proposition, which may be true, false, or undefined, concerning the values (or perhaps only the distinguished values) of an entry.

attribute value syntax

See attribute syntax, syntax.

audit action

A component of the filter directive that specifies where the audit record is to be written: to the console or to an audit trail file.

audit client

Users of the DCE Audit Service. All DCE servers and user-written distributed applications can be audit clients.

audit condition

A component of the filter directive that specifies the required outcome of the event before an audit record is written to the audit trail file.

audit daemon

A DCE component. It maintains the audit filters and the central audit trail file.

audit event

An occurrence in the use of the application that requires logging of audit records. Generally, audit events involve the integrity of the system.

audit filter

Used to narrow down the conditions by which audit records are logged. A filter provides a means to specify these conditions.

audit record

Contains information pertaining to an audit event.

audit trail file

A set of audit records that provide evidence of the sequence of events that occurred on the system.


The verification of a principal's network identity.

authentication header

A record containing a ticket and an authenticator to be presented to a server as part of the authentication process.

authentication level

See protection level.

authentication path

The sequence of cells transited when a principal in one cell communicates with one in another cell. Also known as a trust path.

authentication protocol

A formal procedure for verifying a principal's network identity; Kerberos is an instance of a shared-secret authentication protocol.

authentication service

One of the services provided by DCE Security: the Authentication Service authenticates principals according to a specified authentication protocol. See also authentication protocol.

authentication surrogate

A type of principal represented by an entry in a cell's registry that specifies the same secret key as a corresponding entry in another cell's registry. The Authentication Services of the two cells use the secret key for the purpose of exchanging data about principals without either Authentication Service having to share its private key with the other. Authentication surrogates are necessary for intercell authentication. See also peer trust.


A record containing information that can be shown to have been recently generated via a conversation key known only by two principals that are participating in an authenticated network exchange.


1. The determination of a principal's permission(s) with respect to a protected object.

2. The approval of a permission sought by a principal with respect to a protected object.

authorization data

That portion of a Kerberos ticket that contains data necessary for authorization decisions. Sometimes abbreviated Auth_Data or A_D.

authorization protocol

A formal procedure for establishing the authorization of principals with respect to protected objects. Authorization protocols supported by DCE Security include one based on PACs and EPACs (DCE authorization) and one based on names (name-based authorization). See also PAC, EPAC, name-based authorization.

automatic binding method

RPC: A method of managing the binding for a remote procedure call. The automatic method completely hides binding management from client application code. If the client makes a series of remote procedure calls, the stub passes the same binding handle with each call. See also binding handle, implicit binding method , explicit binding method.


See attribute value assertion.