[cap-talk] What *is* a powerbox?

David Chizmadia (JHU) chiz at cs.jhu.edu
Sat Jul 28 17:21:08 EDT 2007

Hello all,

James A. Donald makes the following statement in one of his emails:
> A powerbox is a user interface for designating entities
> and granting permissions to access them.  

    Aside from the fact that this assumes that designation and
access permission are separated, which implies that the underlying
system is *not* a capability system, the statement limits the
powerbox concept only to user interfaces. This runs counter to my
own definition and I would like to find out if I missed something,

    Since the term - and I believe, the concept - evolved within the
cap-talk community, I think that the cap-talk list is a good place
to come up with a normative definition for "powerbox".

    My understanding of the powerbox concept is that it is a design
pattern for allowing capabilities to be aggregated and then sensibly
released - either "as is" or with some form of authority reduction.
It finds its greatest immediate value as a design abstraction for
user interfaces, but is not - in principle - limited to user interfaces.

    As an example design that uses a non-UI powerbox, consider the
following notional design for an RBAC system ...

    Each user and role entity is represented by a powerbox, which
holds all of that entity's capabilities. When a user is authorized
to assume a specific role, an administrator uses the Admin interface
(which in this case *is* a UI powerbox) to delegate a capability to
the role powerbox (using something like Horton if accountability to
the level of individual users is needed). The role capability allows
the User - or software acting on behalf of the user - to traverse a
name space containing meta-data about each of the capabilities that
have been assigned to the role. When the user (software) has a need
for a specific capability, it is able to treat the role name space
as an extension of its own name space. The major difference is that
to use a role capability, the user must explicitly request that the
capability be transfered to its own name space. The role powerbox,
according to a defined (possibly role-specific) policy, will then
either transfer or delegate either a full or reduced authority
instance of the capability to the user software for operational use.

    I look forward to the opinions of others...


PS: If we have already thrashed through this question and I managed
    to miss it, please just point me at the thread(s) and I'll hang
    my head and slink away, embarassed :-D.   -DMC

More information about the cap-talk mailing list