Discussions on access control usually concentrate on
one of two basic schemes: access control lists and capabilities. A
third scheme used in military system access control is often governed
by a label based scheme where every object has a label and an identity.
Each of these can be considered as a single technique on a spectrum.
The spectrum is concerned with where the authorization
information is kept: with the accessing object, with the accessed
object, or split between both of them. Each of the schemes recognizes
that the access control rules need to be kept somewhere and that the
set of possible rules for every possible object interaction is very
large. We look at this spectrum next udner the headings of access control
lists, military security classifications, and capabilities.
In the access control list scheme nearly all of the information is
kept with the accessed object. The information takes the form of a
list of all the objects that are allowed to access a particular object.
The only information that is needed from the accessing object is its
identity, which is used to look up the access control list and make
a decision. Where the set of object identities allowed to access another
object is quite small, or can be kept is an abbreviated form, then
this scheme has the advantage that the access control information
is kept with the objects that are to be protected. Lists can be kept
small by having groups of objects with the same access rights share
a single role identity, then the role identity of an accessing object
is used to check for entries in the list. A negative access control
list contains a list if identities that are <#744#> not<#744#> allowed to
access an object, a sort of black list. Negative lists are useful
when all the members of a group or role except a few individuals are
to be allowed access to an object. They are also used when an individual
is to be taken out of a role or group but not all the group lists
have been changed, or that individual may still be using the system
when his rights are to be revoked and he has already obtained the
role privileges.
In a capability scheme the information is kept with the accessing
object. A capability is a right to use some object, just like a pre-paid
ticket on a train. Every object would have a set of capabilities for
all of the objects it might require to use. The only information required
of the accessed object is its identity so that it can be compared
with the capability that is being used in the attempt to obtain access.
Just as there are techniques for limiting the size of an access control
list there are techniques for reducing the number of capabilities
that an accessing object must keep. Because all of the access control
information is with the accessing object it can be seen that this
is the opposite, or complementary scheme to access control lists.
A problem with capabilities is making sure that an object has all
the capabilities it needs and that objects do not acquire capabilities
they are not entitled to (that is capabilities have to be protected
against copying).
A scheme that is used with military system is based on the use of
labels and classification. Information in the system is given a classification,
say <#745#> secret<#745#>, or <#746#> classified<#746#>, and users of the
system are rated to some level, <#747#> secret<#747#>, or <#748#> classified.<#748#>
There is a strict relationship between the classifications such that
(for example) all <#749#> classified<#749#> information is available
to a user with a rating of <#750#> secret<#750#>, as well as all <#751#> secret<#751#>
information. In addition to these classifications information is placed
into categories, or compartments; such as <#752#> naval<#752#>, <#753#> nuclear<#753#>,
or <#754#> HQ<#754#>. Users are given access to certain compartments.
To decide if a user has access to a piece of information (or even
should be told that it exists) the user's level must be greater than
or equal to the classification of the information, and the user must
have access to the compartment which the information has been assigned
to. A problem with this scheme is that it does not help to discriminate
different users of the same level, other access control mechanisms
have to be used. The classification and compartment idea can be readily
translated to the commercial world; using <#755#> company confidential<#755#>,
<#756#> restricted<#756#> for classification and <#757#> accounts<#757#>,
<#758#> personnel<#758#> for compartments.