[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

[David Hopwood]

I missed part of Toby's mail:

Toby Murray wrote:
> It also naturally admits separation of duty:
> 
> We might have an accounting package whose functions include writing and
> approving purchase orders, for example. A running instance of that
> package might be trusted to perform the former but not the latter (and
> vice versa) in order to prevent it from approving its own purchase
> orders.

In this case the package's intended function is for each instance to
be able to write or approve (but not both) a set of purchase orders.
I don't see that any generalization is needed to cover separation of
duty; it is part of what I've always considered POLA to cover.

A more common example is that each instance of an editor should only
be able to read and write files designated by the user for that
instance; not any file that the editor program has ever been asked
to edit. (There is a nontrivial, but solvable, design problem here in
how to support 'Recently used file' lists.)

-- 
David Hopwood <david.hopwood at industrial-designers.co.uk>