Correct Settings for Composite Delegation
(397GR 28-June-2000)

To implement composite delegation, verify that the following domain settings are appropriately selected:

1. Client: Delegation Policy and Client Secure Invocation Policy
2. Intermediate: Target Secure Invocation Policy, Client Secure Invocation Policy, Delegation Policy and Access Policy
3. Target: Target Secure Invocation Policy and Access Policy

If the proper settings are not selected for each domain, the client gets a No Permission exception returned.

Delegation Policy must be set for each intermediate. Within Delegation Policy, one can select settings for more than one interface. The choices are as follows:

1. No Delegation — The intermediate object uses only its own credentials, not the client's credentials. This is the default.
2. Simple Delegation (also called impersonation) — The intermediate object assumes the client’s credentials (identity). Access control decisions at subsequent targets are based on the privileges of the initiating client. The intermediate object can delegate the client’s privileges to other objects. Only the client’s privileges are passed to the target object, so that the intermediate objects remain unknown.
3. Composite Delegation — The intermediate object can use the client’s credentials and delegate the credentials to other objects. All intermediate objects’ credentials are added to the client’s and passed to the target object, so that the chain of credentials is traced.

When implementing composite delegation, only the No Delegation or Composite Delegation settings would ever be selected under Delegation Policy.

Note: Client must always have Delegation Policy set to No Delegation.

The initiator runs in domain "Client," and calls a method on interface1. An object running in domain "Intermediate" serves the method called by the initiator. The Intermediate server calls a second method, of interface2, on an object served from the "Target" domain.

The following lists the minimum policies required in the respective domains to successfully delegate:

Client:

Client Secure Invocation Policy: supports composite delegation for interface1

Intermediate:

Access Policy: gives the initiator the effective rights to call the method

Target Secure Invocation Policy: requires composite delegation for interface1

Delegation Policy: interface1 = no delegation

interface2 = composite delegation

Client Secure Invocation Policy: requires composite delegation for interface2

Target:

Access Policy: gives the initiator the effective rights to call the method in delegate tab

Target Secure Invocation Policy: supports composite delegation

As always, the Secure Invocation Policies have to match up in terms of supporting and requiring Confidentiality and Security without Confidentiality.

Note: The only difference for simple delegation is that the Target must give the initiator the proper effective rights in the initiator tab rather than the delegate tab.