next up previous contents
Next: 4.3.8 What about transient Up: 4.3 Administrator Previous: 4.3.6 Where are access

4.3.7 ../images/greenball.gifHow do servers ``know'' what domain to put new objects into and when to create new security policy domains?

 
change_begin

[ed. For more detailed and alternative answers see SecSIG mail list discussion thread titled ``Granularity of Invocation Access Controls'']

Bob Blakley
(June, 1999)25:
The intent is that there should be a policy governing which domains newly-created objects are put into, and that this policy should be administered just like any other security policy. Given this policy, servers can simply programmatically assign objects to the correct domains as they're created.

ACLs certainly DON'T need to go away when the objects they control are destroyed. There's no reason "empty" domains shouldn't stay around - people might want to put new objects into them later.


change_end