To perform this process, the shell must have access to identification and authentication information. If the system does not provide that information, the access control shell may include it. The access control shell may also include encryption tools. These tools can be used to ensure that a user does not reboot from another version of the operating system to circumvent the controls. Note that may of these tools require additional hardware to accomplish these functions.
Access control shells are policy enforcement tools. As a side benefit, they can perform real-time detection of viruses and Trojan horses. The administrator of such a system begins with a description of authorized system use, then converts that description into a set of critical files and the programs which may be used to modify them. The administrator must also select the files which require encryption.
For instance, a shipping clerk might be authorized to access the inventory database with a particular program. However, that same clerk may not be allowed to access the database directly with the database management software. The clerk may not be authorized to access the audit records generated by the trusted application with any program. The administrator would supply appropriate access control statements as input to the monitor and might also encrypt the database.