From a design perspective, the foundation of Directory access controls is provided by a policy model known as theaccess matrix model which, in turn, is generally based on a simple table of rules relating who (what subjects) can do what (have what rights) to what (which objects). There are basically two approaches to expressing the rows and columns of this matrix in terms of access rules:
The essential differences between capabilities-based schemes and ACL-based schemes can be illustrated by a simple example. Suppose a large but attendance restricted conference is being planned and the conference organizers are considering ways to control who gets into what sessions. Conference registration entitles the attendee to a certain track of sessions.
In a capabilities-based scheme, each registered attendee would be given a special badge that indicates what sessions that user is entitled to enter, assuming the user has proper identification. The badges have a special logo, probably to make counterfeiting a little difficult, and each is numbered. When entering a session, the user shows the badge and identification to the guard at the door. The guard does not know in advance who is permitted to enter, and, indeed, it may be possible that there are no lists of attendees cross-referenced by session.
In a pure ACL scheme, the guards are each supplied with a list of which specific users are authorized to enter their session. The users may be issued badges publicizing their name, perhaps, but possession of a badge is not used as the basis for authorization nor identification. Note that there may be no need for corresponding lists of all of the sessions a particular user might be able to enter.
The new Directory standardized access control mechanisms support an ACL based approach, but not capabilities. The DSA plays the role of the guard, making decisions based on a user's identity and ACL information that is closely associated with the protected object. It is interesting to note that even though the standardized access control mechanisms for the new Directory use the ACL policy model, they do not directly support situations where the DSA needs to remember what has happened in the past. It is important, therefore, to understand not only that Directory access control is expressed in terms of ACLs, but also that certain ACL situations cannot be enforced using only the standardized mechanisms. The next section characterizes many of the aspects of access control policy that can be enforced using the standardized access control mechanisms for the new Directory. A later section characterizes some aspects that are not supported by those mechanisms. It is possible that future amendments to the Directory standard will provide capability-based access control. Capability-based access control is not standardized in implementations of the 1993 edition of the standard.
This section characterizes many of the important aspects of security policy that are directly supported by the new Directory access control mechanisms. From a policy perspective, the mechanisms can be used to enforce a wide range of security authority relationships where each authority defines and maintains ACLs for the protected objects that are under its control. When making an access control decision, the Directory considers all of the ACLs from all of the authorities that may influence that decision. The automated guard uses the ACLs to make a decision that is consistent with the relationship established among the relevant authorities.
This section first focuses on a simplified authority scenario where there is only one authority for the entire Directory Information Base (DIB). After exploring the flexibility of access control policy for a single authority, the discussion moves to more complicated authority scenarios involving multiple autonomous authorities and various forms of delegation of authority.