This paper describes a security framework for object-based distributed
systems which is being developed in the CORBA-compliant OrbixTM
environment. This framework allows the development of secure distributed
applications on existing operating systems that do not support distributed
security. The design aims at making the authentication and access control
mechanisms transparent to the application level and supporting access
control policies specified using the concept of the management domain. This
concept has been developed as a means of specifying policies in terms of
groups of objects. The description focuses on how the Access Control List
paradigm is combined with pseudo capabilities which are used as hints to
improve the time-efficiency of the access control decision mechanism. The
protocols to support the (cascaded) delegation of access rights to agents
acting on behalf of a grantor are explained. A brief description of the
authentication mechanism is also given.