See Privilege Attribute Certificate.


A specified group of related OM classes, denoted by an object identifier.

package closure

The set of classes that need to be supported in order to be able to create all possible instances of all classes defined in the package.


See Process Activation Group.

parent cell

DFS: A cell that has an entry for a child cell in its CDS namespace. The child cell is represented as a child pointer in the root directory of the CDS namespace. The name of the parent cell becomes a prefix in the name of another cell. A parent cell can also be the child of another parent cell. See also hierarchical cell.

parent directory

Any directory that has one or more levels of directories beneath it in a cell namespace. A directory is the parent of any directory immediately beneath it in the hierarchy.

parent dump level

DFS: An entry in the dump hierarchy that is used as the reference point for dumps made at an incremental dump level. Both a full dump level and another incremental dump level can serve as a parent. See also dump, dump hierarchy, full dump, incremental dump.

parent ID number

DFS: A fileset ID number stored in a fileset header. If the fileset being examined is a read/write fileset, the parent ID is its fileset ID. If the fileset being examined is a read-only or backup copy of a read/write fileset, the parent ID is the fileset ID of the read/write fileset. See also fileset ID number.

partially bound binding handle

RPC: A server binding handle that contains an incomplete server address lacking an endpoint. See also fully bound binding handle.


A string presented by a principal to prove its identity. The login facility transforms this string to generate an encryption key that is used by the Authentication Service to authenticate the principal. Server principals usually bypass the string-to-key transformation and present an encryption key to the Authentication Service for authentication. See also encryption key.


See Portable Character Set.

peer trust

A type of trust relationship established between two cells by means of a secret key shared by mutual authentication surrogates maintained by the two cells. A peer trust relationship enables principals in the one cell to communicate securely with principals in the other.


The modes of access to a protected object. In DCE Security, the number and meaning of permissions with respect to the object are defined by the ACL Manager of the object. See also Access Control List.

GDS: One of five groups that assigns modes of access to users: MODIFY PUBLIC, READ STANDARD, MODIFY STANDARD, READ SENSITIVE, or MODIFY SENSITIVE. See also Access Control List.


The name assigned to a DCE principal. The Registry database contains the person objects with which accounts can be associated. Also, the first field of a subject identifier.


An encoding of a typed value in a byte stream. Pickles are useful for storing or transmitting typed values in typeless media. The type of value contained in a pickle may be understood from context or represented in the pickle itself.


RPC: A mechanism for passing large amounts of data in a remote procedure call.

RPC: The data structure that represents this mechanism.


See private key storage server.


The input to an encryption function or the output of a decryption function. Decryption transforms ciphertext into plaintext.

Portable Character Set (PCS)

The DCE PCS is the group of characters for which DCE guarantees support. The DCE RPC runtime requires that all DCE RPC clients and servers support the DCE PCS. The IDL base type specifiers char and idl_char identify DCE PCS characters.

position (within a string)

The ordinal position of one element of a string relative to another.

position (within an attribute)

The ordinal position of one value relative to another.

potential binding

RPC: A specific combination of an RPC protocol sequence, RPC protocol major version, network address, endpoint, and transfer syntax that an RPC client can use to establish a binding with an RPC server. See also binding, endpoint, network address, RPC protocol sequence , RPC protocol, transfer syntax.


1. A Boolean logic term denoting a logical expression that determines the state of some variable(s). For example, a predicate can be an expression stating that "variable A must have the value 3." The control expression used in conjunction with condition variables is based upon a predicate. Use a condition variable to wait for some predicate to become true; for example, to wait for something to be in a queue.

2. Audit Service: The criteria used to select audit records in an audit trail file. This is used in creating audit trail analysis and examination programs that read a select number of records from the audit trail file.

presentation address

An unambiguous name that is used to identify a set of presentation service access points. Loosely, it is the network address of an OSI service. See also address.

Presentation Service Access Point (PSAP)

Address of an OSI communications partner. It addresses an application in a computer.

presented type

RPC: For data types with the IDL transmit_as attribute, the data type that clients and servers manipulate. Stubs invoke conversion routines to convert the presented type to a transmitted type, which is passed over the network. See also transmitted type.

primary alias

The default name for a cell that has multiple cell aliases. This is the name of the cell that the system will return when asked. See also alias.

primary name

The string name of an object to which any aliases for that object refer. DCE refers to objects by their primary names, although DCE users can refer to them by their aliases.

primary representation

The form in which the service supplies an attribute value to the client.

primitive binding handle

RPC: A binding handle whose data type in IDL is handle_t and in application code is rpc_binding_handle_t. See also customized binding handle.


An entity that is capable of believing that it can communicate securely with another entity. In DCE, principals are represented as entries in the Registry database and include users, servers, computers, and authentication surrogates.

principal identifier

The name used to identify a principal uniquely. In DCE, principal identifiers are implemented as UUIDs.


A protection level that may be specified in secure RPC communications and that encrypts RPC argument values.

private key

A long-lived encryption key known to only one principal. In DCE, the Authentication Service is the only principal that has a private key.

private key storage server

A server that stores private keys in such a way that only their true owners can retrieve them.

private object

XDS: An OM object created in a workspace by using the object management functions. The term is simply used for contrast with a public object.

XOM: An object that is represented in an unspecified fashion.

privilege attribute

An attribute of a principal that can be associated with a set of permissions. DCE privilege attributes are identity based and include the principal's name, group memberships, and native cell.

privilege attribute certificate (PAC)

Data, describing a principal's privilege attributes, that has been certified by an authority. In DCE, the privilege service is the certifying authority and seals the privilege attribute data in a ticket. The authorization protocol, DCE authorization, determines the permissions granted to principals by comparing the privilege attributes in PACs with entries in an ACL.

privilege required

DFS: The administrative privilege required to issue a DFS command that affects filesets or DFS server processes. Administrative privilege for a DFS server process is granted to a user who is listed in the administrative list for that server process. See also administrative list.

Privilege Service

One of the services provided by DCE Security; the Privilege Service certifies a principal's privileges.

procedure declaration

RPC: The syntax for an operation, including its name, the data type of the value it returns (if any), and the number, order, and data types of its parameters (if any).

Process Activation Group (PAG)

DFS: A unique identifier that the DFS Cache Manager associates with a user's DCE credentials. The Cache Manager identifies the user's credentials by the associated PAG to allow the user authenticated access to DFS. Processes forked from the user's login process inherit the PAG to allow for authenticated access to DFS. The Cache Manager stores the PAG in the kernel of the DFS client.

process entry

DFS: A definition in the BosConfig file that determines a server process to run, the process's type, and any command parameters used by the process.


RPC: An entry in a name service database that contains a collection of elements from which NSI search operations construct search paths for the database. Each search path is composed of one or more elements that refer to name service entries corresponding to a given RPC interface and, optionally, a given object. See also NSI profile attribute , profile element.

profile element

RPC: A record in an RPC profile that maps an RPC interface identifier to a profile member (a server entry, group, or profile in a name service database). See also group, interface identifier, profile, server entry.

profile member

RPC: A name service entry whose name occupies the member field of an element of the profile. See also profile.

project list

A list of all the groups in which a principal is a member. The project list is used to determine the principal's access rights to objects. See also principal.

protection level

The degree to which secure network communications are protected.

protocol sequence

See RPC protocol sequence.

protocol sequence vector

RPC: A data structure that contains an array-size count and an array of pointers to RPC protocol-sequence strings. See also RPC protocol sequence .


See Presentation Service Access Point.

public object

XOM: An object that is represented by a data structure whose format is part of the service's specification.

XDS: A descriptor list that contains all of the OM attributes of an OM object.

purported name

A construct that is syntactically a name but that has not yet been shown to be a valid name.