Access Control List

In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether or not to proceed with the operation.

ACL-BASED SECURITY MODELS

A key issue in the definition of any ACL-based security model is the question of how access control lists are edited. For each object, who can modify the object's ACL, and what changes are allowed?

Systems that use ACLs can be classified into two categories, discretionary and mandatory. A system is said to have Discretionary Access Control if the creator or owner of an object can fully control access to the object, including, for example, altering the object's ACL to grant access to anyone else. A system is said to have Mandatory Access Control (also known as "non-discretionary access control" in the security literature) if it enforces system-wide restrictions that override the permissions stated in the ACL.

Traditional ACL systems assign permissions to individual users, which can become cumbersome in a system with a large number of users. In a more recent approach called Role-based Access Control , permissions are assigned to roles, and roles are assigned to users.

FILE SYSTEM ACLS

On File System s the Process 's User identifier (in POSIX , effective UID ) is the principal means of control.

The list is a data structure, usually a table, containing entries that specify individual user or group rights to specific system objects, such as a program, a process, or a file. These entries are known as access control entries (ACE) in the Microsoft Windows , OpenVMS , Linux and Mac OS X Operating System s. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, '''write''' to, or '''execute''' an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object.

The ACL is a concept with several different implementations in various operating systems, although there is a POSIX "standard". (The POSIX security drafts, .1e and .2c, were withdrawn when it became clear their scope was too wide and the work would not complete, but the well-developed parts defining ACLs have been widely implemented and are known as "POSIX ACLs".)

NETWORKING ACLS

In Networking , ACL refers to a list of rules detailing Service Port s or (network) Daemon names that are available on a Host or other Layer 3 device, each with a list of hosts and/or networks permitted to use the service. Both individual Servers as well as Router s can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to Firewalls .

SEE ALSO

EXTERNAL LINKS

POSIX Access Control Lists on Linux

RSBAC Access Control Lists on Linux

Generic Access Control Lists for PHP/Perl

C2-Wiki Discussion and Relational Implementation

Information Security Definitions: ACL

Easy and detailed ACL howto for linux

Article " Security Briefs: Access Control List Editing in .NET " by Keith Brown

MS Windows .NET ACL Technology

What could have been IEEE 1003.1e/2c

REFERENCES

	APPAREL
	BABY
	BEAUTY
	BOOKS
	CAR TOYS
	CELL PHONES
	DVD'S
	ELECTRONICS
	GOURMET FOOD
	GROCERIES
	HEALTH & PERSONAL
	HOME & GARDEN
	JEWELRY
	MUSIC
	MUSIC INSTRUMENTS
	OFFICE PRODUCTS
	SOFTWARE
	SPORTING GOODS
	TOOLS & HARDWARE
	TOYS
	VIDEO GAMES
	SHOPPING HOME

	MORE SHOPPING...

	CATEGORIES ABOUT ACCESS CONTROL LIST

	operating system security

	system administration

Information About

Access Control List