[Next]
[Up]
[Previous]
[Contents]
Next: 4.3.6 [IMAGE ]Where are
Up: 4.3 Administrator
Previous: 4.3.4 [IMAGE ]How is
4.3.5 [IMAGE ]What is the granularity of access control on object invocations?
[ed. For more detailed and alternative answers see SecSIG mail list discussion
thread titled ``Granularity of Invocation Access Controls'']
- Bob Blakley
- (June, 1999)22:
CORBAsecurity provides access control whose granularity is 5. GROUP of operations
on a GROUP of instances of (any number of) interfaces How? Like this:
- 1.
- Pick some number of interfaces whose instances you want to control. For each
such interface, assign its operations "required rights".
- 2.
- Pick any number of instances of any number of interfaces. Put them into a domain
- 3.
- Assign an ACL to the domain. The ACL assigns "granted rights"
to "privilege attributes".
Now, for every instance in the domain, a requesting user may invoke any operation
whose required rights are "dominated by" the "granted
rights" which the requesting user has because of his privilege attributes.
[Next]
[Up]
[Previous]
[Contents]
Next: 4.3.6 [IMAGE ]Where are
Up: 4.3 Administrator
Previous: 4.3.4 [IMAGE ]How is