Credentials are translated to the GAA API internal format and
placed into the GAA API security context.
When evaluating an EACL, the security context is searched for the
necessary credentials.
Assume that file doc.txt has the following EACL shown in Table 1.
stored in the authorization data base:
Table 1.
Assume the following credentials are stored in the security context
associated with the user Tom.
Identity credential:
access_id_USER kerberos.v5 tom@ORG.EDU
condition:time_window pacific_tzone 6am-7pm
Group membership credential:
access_id_GROUP kerberosV5 admin@ORG.EDU condition:privilege restricted
Delegation credential:
grantor:grantor_id_USER kerberosV5 joe@ORG.EDU grantee:access_id_USER kerberosV5 tom@ORG.EDU objects:doc.txt rights:pos_access_rights local_manager FILE:write condition:location local_manager *.org.edu
Let's consider a request from a user Tom who is connecting from
the ORG.EDU domain to write to the file doc.txt at 5pm.
In evaluating the EACL, the first entry does not grant the requested
operation, however the second entry grants it. The evaluation function will
then check the security context for the group admin membership credential. The proper credential is found, however, there is a condition
privilege:restricted. This means that Tom can use this privilege only
if logged in as an administrator.
Evaluation continues. The third entry grants the
requested operation. The evaluation function will look for a delegation
credential for tom@ORG.EDU issued by joe@ORG.EDU.
The appropriate delegation credential is found. The condition on location *org.edu is satisfied,
so the requested access will be granted.
