com.example.myPond.goFishing
might allow the user to go fishing in the pond, but not feed the fish, or stir the water. In contrast, the role com.example.myPond.*
would allow the user to do anything to the pond, or anything subordinate to it (i.e. the user is also considered to have com.example.myPond.lilyPad.locateFrog
).EC_CERT_TRUSTED
may define any role or grant, with no higher authority required to validate it. Such roles and grants must be explicitly defined in the certificate; by default a certificate defines nothing at all.ec_record_t *ec_role_add(ec_cert_t *c, char *role);
ec_record_t *ec_role_grant(ec_cert_t *c, char *role);
ec_err_t ec_role_has(ec_cert_t *c, char *role);
com.example.*
, it is also considered to hold com.example.myPond.goFishing
).ec_err_t ec_role_has_grant(ec_cert_t *c, char *role);
com.example.*
, it may also grant com.example.myPond.goFishing
).