[cap-talk] Mandatory Access Control
cap-talk at zesty.ca
Wed Jan 3 18:06:51 CST 2007
On Wed, 3 Jan 2007, David Hopwood wrote:
> Call me a boring prescriptivist, but I tend to think that it is a good idea
> for technical terms of the form "non-<adjective> <noun>" to be defined as
> "a <noun> that is not <adjective>".
I think that's a fine principle.
> There is a false dichotomy here. In all realistic access control systems
> I'm aware of (ACL-based, capability-based, role-based, or whatever), it is
> both the case that
> "the owner of an object has [some] ability to control how others can
> access it,"
> "the system enforces [some] restrictions on how access policies can be
> So most systems are both "discretionary" and "non-discretionary" by the
> above definitions.
Then the wording of the definition i wrote is insufficient. It seems
to me that intermediate positions between "discretionary" and "mandatory"
are possible because there is no clear agreement on a bright-line
threshold that has to be crossed for a system to be called one or the
other. For example, properties like:
- "non-super" users can edit ACLs
- the user that owns an object can convey access to any other user
- a subject that controls an object can convey access to some broad
class of other subjects
- generally, users have more influence over access control decisions
contribute to the "discretionary-ness" of an access control system;
- system-wide rules enforce prohibitions on certain kinds of
changes to ACLs
- access control changes are dependent on external procedures like
personnel security clearances
- generally, users have less influence over access control decisions
contribute to "mandatory-ness". Is that any better?
More information about the cap-talk