For 4.0.x, look at section 3.1 in http://www.globus.org/toolkit/docs/4.0/security/authzframe/developer-index.h tml#s-authzframe-developer-archdes. Pasting relevant piece here:
"A chain of PDPs and PIPs, with relevant configuration information, can be configured at resource, service or container level. If no chain is specified at resource level, service level is used; if nothing is specified at service level, the container level configuration is used. The engine evaluates each PDP and PIP in the order specified and a deny-override mechanism is used to render a decision. If one PDP returns a deny, the decision rendered is deny." For trunk, look at 1.1 in http://www.globus.org/toolkit/docs/development/4.2-drafts/security/authzfram e/developer/authzframe-developer-archdes.html#id2467615 Rachana > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Tom Scavo > Sent: Friday, October 26, 2007 12:15 PM > To: gt-user > Subject: [gt-user] authz chains at both the container and service levels > > In GT 4.0, what happens if both the container and service security > descriptors have a configured authz chain? Does the authz chain > configured at the service level override the authz chain at the > container level? Is it possible to configure a PIP at the container > level such that this PIP is always invoked, regardless of whether or > not an authz chain is configured at the service level? > > Same question for GT 4.1+. > > Thanks, > Tom
