[Next]
[Up]
[Previous]
[Contents]
Next: 4.3.8 [IMAGE ]What about
Up: 4.3 Administrator
Previous: 4.3.6 [IMAGE ]Where are
4.3.7 [IMAGE ]How do servers ``know'' what domain to put new objects into and when to create
new security policy domains?
[ed. For more detailed and alternative answers see SecSIG mail list discussion
thread titled ``Granularity of Invocation Access Controls'']
- Bob Blakley
- (June, 1999)25:
The intent is that there should be a policy governing which domains newly-created
objects are put into, and that this policy should be administered just like
any other security policy. Given this policy, servers can simply programmatically
assign objects to the correct domains as they're created.
ACLs certainly DON'T need to go away when the objects they control are destroyed.
There's no reason "empty" domains shouldn't stay around -
people might want to put new objects into them later.