4.3.6 [IMAGE ]Where are access control lists stored?

 

[ed. For more detailed and alternative answers see SecSIG mail list discussion thread titled ``Granularity of Invocation Access Controls'']

Bob Blakley

(June, 1999)²³:
In Policy objects, which are associated with the DomainManager instance corresponding to the domain whose policy they define.

Polar Humenn

(June, 1999) ²⁴:
If one subscribes to the D[omain]A[ccess]P[olicy]/R[equired]R[ights] access decision logic, they are stored in basically two places. A DomainAccessPolicy, which maps security attributes to rights (although that mapping is not well defined), and the RequiredRights object (which is locality constrained). I guess their persistence is up for grabs behind the implementation as far as the specifciation goes.