A Preview of Multiple Authority Scenarios



next up previous contents
Next: Use of Authentication Up: Scenarios Involving a Previous: Hybrid Orientations

A Preview of Multiple Authority Scenarios

In the above description of ``Default controls'', it was pointed out that the scope of influence for an ACL may freely overlap the scope of any other ACL. It is important to note, however, that this is true only within a part of the DIT that is controlled by a single authority. In multiple authority scenarios, the DIT is partitioned into ``administrative areas'' with one area (i.e., subtree) for each authority; the areas may overlap only when there is partial delegation of authority. When overlapping administrative areas have overlapping ACLs, it is possible for one or more of the overlapping ACLs to be in conflict because they do not express compatible policies; in such cases the standardized access control mechanisms provide a way to enforce organizational policy regarding which authority is superior and which is subordinate. The superior authority always controls which ACL prevails.

The main point here is that the scope of influence of each ACL is limited by the boundary of the administrative area for the authority that manages that ACL. The scope of ACLs defined by a single authority may freely overlap within that authority's administrative area; they may or may not be allowed to overlap into other administrative areas, depending on the organizational relationship between the authorities. A more detailed explanation of how administrative areas limit ACL scope is provided in the section below on ``Scenarios Involving Multiple Authorities.''



John Barkley
Fri Oct 7 16:17:21 EDT 1994