DCE LFS performs an operation requested by one or more delegates only if the initiator and all delegates have the permissions required to perform the operation. If the initiator or one of the delegates does not have the required permissions, DCE LFS refuses to perform the operation. For example, to create a file in a directory, the initiator and all delegates must have the w, x, and i permissions on the directory; if the initiator or one of the delegates does not have all three of these permissions, the operation fails.
To determine the permissions for the initiator of an operation, DCE LFS considers only nondelegation ACL entries according to the evaluation algorithm presented in ACL Evaluation . However, to determine the permissions for a delegate, DCE LFS follows an evaluation algorithm that includes both delegation and nondelegation ACL entries. As with the usual evaluation algorithm, DCE LFS stops checking entries once a delegate meets a condition in the checking sequence; evaluation proceeds to a condition in the checking sequence only if the delegate fails to match all previous conditions.
The following list describes the order in which DCE LFS examines the entries on an ACL to determine the permissions for a delegate:
1. The delegate owns the object. DCE LFS grants the delegate the permissions from the user_obj entry.
2. A user, user_delegate, foreign_user, or foreign_user_delegate entry exists for the delegate. DCE LFS grants the delegate the permissions from the first of these entries that the delegate matches.
3. The delegate belongs to the group that owns the object (which acquires permissions via the group_obj entry) or to a group for which a group, group_delegate, foreign_group, or foreign_group_delegate entry exists. DCE LFS grants the delegate the permissions from all of the entries that the delegate matches.
4. The delegate is from the default cell. DCE LFS grants the delegate the permissions from the other_obj entry.
5. The delegate is from a foreign cell for which a foreign_other or foreign_other_delegate entry exists. DCE LFS grants the delegate the permissions from the first of these entries that the delegate matches.
6. The delegate is from a foreign cell and an any_other or any_other_delegate entry exists. DCE LFS grants the delegate the permissions from the first of these entries that exists.
7. The delegate matches no entry. DCE LFS denies the delegate access to the object.
Note that all delegation entries are always optional. Note also that a principal acquires permissions from a delegation entry only when acting as a delegate. A principal that is initiating an operation cannot obtain permissions from a delegation entry. Finally, DCE LFS filters all permissions granted via delegation entries through the mask_obj entry.