In most respects, delegation works with DCE LFS objects in the same way that it works with other DCE objects. You use dcecp acl commands to add, delete, modify, and display delegation entries. You can include delegation entries on Object ACLs and Initial Creation ACLs.
An object created through a delegation operation is owned by the last delegate in the delegation chain. For example, if you direct an application to create a file, and that application in turn directs another server process to create the file, the resulting file is owned by the server process that actually creates it, not by you or the application. In this case, you may not have the necessary permissions to perform further operations on the file.
Similarly, because non-LFS objects do not have DCE ACLs, the permissions required for a delegation operation that involves a non-LFS object are based solely on the identity and permissions of the last delegate in the chain. The last delegate must acquire the necessary permissions by way of the user, group, or other mode bits.
The new ACL entry types introduced for delegation are incompatible with many programs from previous versions of DCE. Therefore, the following restrictions apply to the use of delegation entries on the ACLs of DCE LFS objects:
· Delegation is first available with version 1.1 of DCE. In earlier versions of DCE, the acl_edit program was used to list and modify ACLs. Versions of the acl_edit program provided with versions of DCE earlier than 1.1 cannot display or modify ACLs that include delegation entries.
· File Server machines based on versions of DCE earlier than 1.1 cannot house filesets in which the ACLs of one or more objects include delegation entries. If the ACLs of one or more objects in a fileset include delegation entries, DFS does not allow you to do the following:
- Move the fileset to a File Server that uses a version of DCE earlier than 1.1.
- Add a replication site for the fileset on a File Server that uses a version of DCE earlier than 1.1.
- Restore the fileset to a File Server that uses a version of DCE earlier than 1.1.
Finally, to use the identity of a chain of delegates for a delegation operation that involves DFS, an application sets the current login context to be that of the delegation chain for the operation (see the OSF DCE Administration Guide - Core Components for information about login contexts). When the operation is complete, the application sets the current login context back to its original state. This is required only for delegation operations that involve requests to the File Exporter, which runs in the kernel; for operations that involve requests to user-space processes, applications can simply indicate that the login context of the delegation chain is to be used for the operation. (An application uses the sec_login_set_context( ) routine to set the current login context; see the OSF DCE Application Development Guide - Core Components for more information.)
Note: DFS server processes that use administrative lists do not consider delegation when determining administrative privileges. The last delegate in the chain must be included in the appropriate administrative list to perform a privileged operation. For example, a privileged bos command requires that the last delegate in the chain be a member of the admin.bos list on the specified server machine. (See Using Administrative Lists and Keytab Files for information about administering DFS server processes.)