Note: The information in this section applies only to applications that are written to use delegation.
The previous sections of this topic document how ACLs work when you request access to an object directly. The information applies for most applications and for most routine file system operations. However, some applications may perform operations on an object on your behalf. An operation performed by such an application is referred to as a delegation operation; you delegate the operation to the server principal of the application.
For any operation, the user who initially requests the operation is referred to as the initiator. For a delegation operation, the principal that performs the operation for the initiator is known as the delegate. Because users typically delegate operations to server principals, delegation is usually described with respect to principals rather than users.
For an operation that does not involve delegation, only the initiator needs to have the permissions necessary to perform the requested operation. For a delegation operation, both the initiator and the delegate must have the permissions necessary to perform the operation. For example, suppose you request an application that executes as a delegate to print a file. In this case, you are the initiator because you have requested that the file be printed; the application that prints the file is the delegate because you have asked the application to print the file. Both you and the application need the permissions required to print the file.
With DCE ACLs, you can grant permissions to a principal that apply only when the principal is acting as a delegate on behalf of another principal. In the previous example, you could grant the application the necessary permissions for the requested file directly, or you could grant the application permissions only when it is acting as a delegate. Granting the application permissions directly allows the application to print the file on its own initiative, which can allow unauthorized users to print the file via the application. Granting the application permissions as a delegate ensures that the application prints the file only on behalf of authorized users.
Multiple delegates can be associated with a single operation. In this case, the collection of delegates is referred to as a delegation chain. The initiator and all delegates in the chain must have the permissions necessary to perform a requested operation. If the application in the previous example had forwarded your print request to a print server, both the application and the print server would have been members of the delegation chain for your print request. In this case, the initiator (you) and both delegates (the application and the print server) would have needed the permissions required to print the file.
The initiator of an operation is granted permissions via one of the standard entries described in the table in ACL Entry Types for Users and Groups. However, delegates can also be granted permissions via special ACL entry types that exist exclusively for delegation. The following topics provide more information about the additional ACL entries used for delegation and about how delegation works with DCE LFS objects.
More:
ACL Entry Types for Delegation
DFS Notes and Restrictions for Delegation