SPECIFYING DISCRETIONARY ACCESS-CONTROL POLICY FOR DISTRIBUTED SYSTEMS

This paper discusses a proposed framework for specifying access control policy for very large distributed processing systems. These typically consist of multiple interconnected networks and span the computer systems belonging to different organizations. This implies the need for cooperation between independent managers to specify access control policy. The policy specification should permit interaction between organizations while limiting the scope of what objects can be accessed and what operations can be performed on them. The large numbers of objects in such systems make it impractical to specify access control policy in terms of individual objects. The paper explains how domains can be used to group objects and structure the management of access control policy. Access rules are introduced as a means of specifying the access rights between a domain of user objects and a domain of target objects in terms of the permitted operations as well as constraints such as user location and time of day. The use of domains for specifying the scope for which authority can be delegated to managers or security administrators is explained and the issues related to implementing access rules using capabilities or access control lists are discussed. © 1990.