[Next] [Up] [Previous] [Contents]
Next: 4.3.6 [IMAGE ]Where are Up: 4.3 Administrator Previous: 4.3.4 [IMAGE ]How is

4.3.5 [IMAGE ]What is the granularity of access control on object invocations?

 


change_begin
[ed. For more detailed and alternative answers see SecSIG mail list discussion thread titled ``Granularity of Invocation Access Controls'']

Bob Blakley
(June, 1999)22:
CORBAsecurity provides access control whose granularity is 5. GROUP of operations on a GROUP of instances of (any number of) interfaces How? Like this:

1.
Pick some number of interfaces whose instances you want to control. For each such interface, assign its operations "required rights".
2.
Pick any number of instances of any number of interfaces. Put them into a domain
3.
Assign an ACL to the domain. The ACL assigns "granted rights" to "privilege attributes".
Now, for every instance in the domain, a requesting user may invoke any operation whose required rights are "dominated by" the "granted rights" which the requesting user has because of his privilege attributes.


change_end


[Next] [Up] [Previous] [Contents]
Next: 4.3.6 [IMAGE ]Where are Up: 4.3 Administrator Previous: 4.3.4 [IMAGE ]How is