This class is used to restrict the usage of the Kerberos delegation model, ie: forwardable and proxiable tickets.
The target name of this
Permission specifies a pair of kerberos service principals. The first is the subordinate service principal being entrusted to use the TGT. The second service principal designates the target service the subordinate service principal is to interact with on behalf of the initiating KerberosPrincipal. This latter service principal is specified to restrict the use of a proxiable ticket.
For example, to specify the "host" service use of a forwardable TGT the target permission is specified as follows:
To give the "backup" service a proxiable nfs service ticket the target permission might be specified: