HP-UX Reference (11i v2 07/12) - 3 Library Functions A-M (vol 6)
a
acps_api(3) acps_api(3)
NAME
acps_api: acps_addenvattr(), acps_addobjattr(), acps_addopattr(), acps_addsubattr(), acps_addsubcred(),
acps_checkauth(), acps_end(), acps_setobj(), acps_setop(), acps_setsubid(), acps_start() - ACPS Application
Programming Interface
SYNOPSIS
#include <acps.h>
#include <acps_api.h>
cc
[flag]... file...
-lacps [library]...
int acps_addenvattr(acp_handle_t
h, char *type, char *attr);
int acps_addobjattr(acp_handle_t
h, char *type, char *attr);
int acps_addopattr(acp_handle_t
h, char *type, char *attr);
int acps_addsubattr(acp_handle_t
h, char *type, char *attr);
int acps_addsubcred(acp_handle_t
h, char *type, char *attr);
int acps_checkauth(acp_handle_t
h);
int acps_end( acp_handle_t
h);
int acps_setobj(acp_handle_t
h, char *type, char *object);
int acps_setop(acp_handle_t
h, char *type, char *operation);
int acps_setsubid(acp_handle_t
h, char *type, char *ident);
int acps_start(acp_handle_t
h);
DESCRIPTION
The ACPS Application Programming Interface (API) defines a set of functions that an application writer
can use to perform an access control check. This check is typically used to determine whether a particular
user has access to a resource.
The ACPS API provides both a simplified interface for requesting an access check and a more flexible inter-
face that allows an application to specify additional access control attributes. For both interfaces, the basic
access control request takes the form:
Is subject X allowed to perform operation Y on object Z?
This request is formed using different functions depending on the application requirements.
Simplified Interface
In the simplified interface, this basic question is represented as follows:
int acps_simplecheckauth(char *ident, char *operation, char *object);
For a typical request, this query returns either ACPS_ALLOW or ACPS_DENY based on the policy
represented in the configured modules. This will suffice for many applications, but the query makes several
simplifying assumptions about the types of representations used for the user identity, operation, and object.
Specifically for this request, the identity is assumed to be a username (ACPS_ID_NAME ), the operation a
typical HP-UX operation string (ACPS_OP_DOTHEIRARCHICAL), and the object a generic string
(
ACPS_OBJ_GENERIC). For more information on these types, see acps(3).
Detailed Interfaces
For the more complex requests, the query takes the forms described in SYNOPSIS:
acps_addenvattr(), acps_addobjattr()
, acps_addopattr(), acps_addsubattr(),
acps_addsubcred(), acps_checkauth()
, acps_end() , acps_setobj(), acps_setop() ,
acps_setsubid(), acps_start() .
There are a few major components to this set of interfaces.
The acps_start() and acps_end() functions are used for memory allocation and deallocation to
maintain state between the calls. The acp_handle_t_t that is passed to each call is a pointer to an
opaque data structure. The memory for this structure is allocated as part of the call to acps_start()
and freed in acps_end().
HP-UX 11i Version 2: December 2007 Update − 1 − Hewlett-Packard Company 91