Access-control list: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
No edit summary
Tags: Reverted Visual edit Mobile edit Mobile web edit
→‎Further reading: Update links.
 
(18 intermediate revisions by 16 users not shown)
Line 1: Line 1:
{{Short description|List of permissions for a system resource}}
{{Short description|List of permissions for a system resource}}
In computer security, an '''access-control list''' ('''ACL''') is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains , this would give Alice permission to read and write the file and give Bob permission only to read it.
In [[computer security]], an '''access-control list''' ('''ACL''') is a list of permissions{{efn|E.g., [[File-system permissions]], permission to perform specific action.}} associated with a [[system resource]] (object or facility). An ACL specifies which [[User (computing)|users]] or [[Process (computing)|system processes]] are granted access to resources, as well as what operations are allowed on given resources.<ref>{{cite IETF
| rfc = 4949
| title = Internet Security Glossary, Version 2
| author = R. Shirey
| date = August 2007
| access-date = May 19, 2023
}}
</ref> Each entry in a typical ACL specifies a subject and an operation. For instance,
* If a file object has an ACL that contains {{samp|(Alice: read,write; Bob: read)}}, this would give Alice permission to read and write the file and give Bob permission only to read it.
* If the [[RACF]] profile CONSOLE CLASS(TSOAUTH) has an ACL that contains {{samp|(ALICE:READ)}}, this would give ALICE permission to use the TSO CONSOLE command.


== Implementations ==
== Implementations ==
Many kinds of operating systems implement ACLs or have a historical implementation; the first implementation of ACLs was in the filesystem of Multics in 1965.
Many kinds of operating systems implement ACLs or have a historical implementation; the first implementation of ACLs was in the [[filesystem]] of [[Multics]] in 1965.<ref>{{cite book |title=Elementary Information Security |author=Richard E. Smith |page=150}}</ref><ref>{{Cite conference |last=Daley |first=R. C. |last2=Neumann |first2=P. G. |date=1965 |title=A general-purpose file system for secondary storage |url=http://portal.acm.org/citation.cfm?doid=1463891.1463915 |book-title=AFIPS '65 (Fall, part I): Proceedings of the November 30--December 1, 1965, fall joint computer conference, part I |language=en |publisher=ACM Press |pages=213 |doi=10.1145/1463891.1463915}}</ref>


=== Filesystem ACLs ===
=== Filesystem ACLs ===
A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access-control entries (ACEs) in the Microsoft Windows NT, OpenVMS, and Unix-like operating systems such as Linux, macOS, and Solaris. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
A [[File system|filesystem]] ACL is a [[data structure]] (usually a table) containing entries that specify individual user or [[Group (computing)|group]] rights to specific system objects such as programs, [[Process (computing)|processes]], or files. These entries are known as access-control entries (ACEs) in the Microsoft [[Windows NT]],<ref>{{cite web |url= https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb457115(v=technet.10) |title=Managing Authorization and Access Control |date= 2009-09-11 |publisher= [[Microsoft Learn]] |access-date= 2024-05-15}}</ref> [[OpenVMS]], and [[Unix-like]] [[operating system]]s such as [[Linux]], [[macOS]], and [[Solaris (operating system)|Solaris]]. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or [[execution (computing)|execute]] an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.


One of the first operating systems to provide filesystem ACLs was Multics. PRIMOS featured ACLs at least as early as 1984.
One of the first operating systems to provide filesystem ACLs was [[Multics]]. [[PRIMOS]] featured ACLs at least as early as 1984.<ref>{{cite news |date = 1984-05-21 |title= P.S.I. Pacer Software, Inc. Gnet-II revision 3.0 |url = https://books.google.com/books?id=KAUpSdv4AO4C | department = Communications |work = Computerworld |volume= 18 |issue= 21 |page = 54 |issn = 0010-4841 |access-date= 2017-06-30 |quote= The new version of Gnet-II (revision 3.0) has added a line-security mechanism which is implemented under the Primos ACL subsystem.}}</ref>


In the 1990s the ACL and RBAC models were extensively tested and used to administer file permissions.
In the 1990s the ACL and [[Role-based access control|RBAC]] models were extensively tested{{by whom|date=June 2017}} and used to administer file permissions.


==== POSIX ACL ====
==== POSIX ACL ====
POSIX 1003.1e/1003.2c working group made an effort to standardize ACLs, resulting in what is now known as "POSIX.1e ACL" or simply "POSIX ACL". The POSIX.1e/POSIX.2c drafts were withdrawn in 1997 due to participants losing interest for funding the project and turning to more powerful alternatives such as NFSv4 ACL. {{As of|2019|12}}, no live sources of the draft could be found on the Internet, but it can still be found in the Internet Archive.
[[POSIX]] 1003.1e/1003.2c working group made an effort to standardize ACLs, resulting in what is now known as "POSIX.1e ACL" or simply "POSIX ACL".<ref>{{cite web |last1=Grünbacher |first1=Andreas |title=POSIX Access Control Lists on Linux |url=https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher_html/main.html |website=Usenix |access-date=12 December 2019}}</ref> The POSIX.1e/POSIX.2c drafts were withdrawn in 1997 due to participants losing interest for funding the project and turning to more powerful alternatives such as NFSv4 ACL.<ref>{{cite web |last1=wurtzkurdle |title=Why was POSIX.1e withdrawn? |url=https://unix.stackexchange.com/a/506641 |website=Unix StackExchange |access-date=12 December 2019}}</ref> {{As of|2019|12}}, no live sources of the draft could be found on the Internet, but it can still be found in the [[Internet Archive]].<ref>{{cite web |last1=Trümper |first1=Winfried |title=Summary about Posix.1e |url=https://wt.xpilot.org/publications/posix.1e/ |archive-url=https://web.archive.org/web/20080723061358/https://wt.xpilot.org/publications/posix.1e/ |archive-date=2008-07-23 |date=February 28, 1999}}</ref>


Most of the Unix and Unix-like operating systems (e.g. Linux since 2.5.46 or November 2002, FreeBSD, or Solaris) support POSIX.1e ACLs (not necessarily draf &nbsp;17). ACLs are usually stored in the extended attributes of a file on these systems.
Most of the Unix and Unix-like operating systems (e.g. [[Linux]] since 2.5.46 or November 2002,<ref>{{cite web |url= https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Release_Notes/as-x86/index.html
|title= Red Hat Enterprise Linux AS 3 Release Notes (x86 Edition) |quote= EA (Extended Attributes) and ACL (Access Control Lists) functionality is now available for ext3 file systems. In addition, ACL functionality is available for NFS. |year= 2003 |publisher= [[Red Hat]] |access-date= 2013-04-08 |archive-url=https://web.archive.org/web/20131202221514/https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Release_Notes/as-x86/index.html |archive-date=2013-12-02 |url-status=dead}}</ref> [[FreeBSD]], or [[Solaris (operating system)|Solaris]]) support POSIX.1e ACLs (not necessarily draft&nbsp;17). ACLs are usually stored in the extended attributes of a file on these systems.


==== NFSv4 ACL ====
==== NFSv4 ACL ====
NFSv4 ACLs are much more powerful than POSIX draft ACLs. Unlike draft POSIX ACLs, NFSv4 ACLs are defined by an actually published standard, as part of the Network File System.
[[NFSv4]] ACLs are much more powerful than POSIX draft ACLs. Unlike draft POSIX ACLs, NFSv4 ACLs are defined by an actually published standard, as part of the [[Network File System]].


NFSv4 ACLs are supported by many Unix and Unix-like operating systems. Examples include AIX, FreeBSD, Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem, support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem and the more recent Richacls, which brings NFSv4 ACLs support for Ext4 filesystem. As with POSIX ACLs, NFSv4 ACLs are usu lly stored as extended attributes on Unix-like systems.
NFSv4 ACLs are supported by many Unix and Unix-like operating systems. Examples include [[AIX]], [[FreeBSD]],<ref>{{cite web |url= https://wiki.freebsd.org/NFSv4_ACLs |title= NFSv4 ACLs |date= 2011-09-12 |publisher= [[FreeBSD]] |access-date= 2013-04-08}}</ref> [[Mac OS X]] beginning with version 10.4 ("[[Mac OS X Tiger|Tiger]]"), or [[Solaris (operating system)|Solaris]] with [[ZFS]] filesystem,<ref>{{cite web |url= http://docs.oracle.com/cd/E19082-01/817-2271/ftyxi/index.html |title= Chapter 8 Using ACLs and Attributes to Protect ZFS Files |publisher= [[Oracle Corporation]] |date= 2009-10-01 |access-date= 2013-04-08}}</ref> support [[NFSv4]] ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for [[Ext3]] filesystem<ref>{{cite web |url= http://users.suse.com/~agruen/nfs4acl/ |title= Native NFSv4 ACLs on Linux |first= Andreas |last= Grünbacher |date= May 2008 |publisher= [[SUSE S.A.|SUSE]] |archive-url= https://web.archive.org/web/20130620012339/http://users.suse.com/~agruen/nfs4acl/ |archive-date= 2013-06-20 |url-status= dead |access-date= 2013-04-08}}</ref> and the more recent [[Richacls]], which brings NFSv4 ACLs support for [[Ext4]] filesystem.<ref>{{cite web |url=http://www.bestbits.at/richacl/| title=Richacls – Native NFSv4 ACLs on Linux |first=Andreas |last=Grünbacher |date=July–September 2010 |publisher=bestbits.at |access-date=2013-04-08 |archive-url=https://web.archive.org/web/20130320080142/http://www.bestbits.at/richacl/ |archive-date=2013-03-20 |url-status=dead}}</ref> As with POSIX ACLs, NFSv4 ACLs are usually stored as extended attributes on Unix-like systems.


NFSv4 ACLs are organized nearly identically to the Windows&nbsp;NT ACLs used in NTFS. NFSv4.1 ACLs are a superset of both NT ACLs and POSIX draft ACLs. Samba supports saving the NT ACLs of SMB-shared files in many ways, one of which is as NFSv4-encoded ACLs.
NFSv4 ACLs are organized nearly identically to the Windows&nbsp;NT ACLs used in [[NTFS]].<ref>{{cite web |url=https://wiki.linux-nfs.org/wiki/index.php/ACLs#NFSv4_and_Windows_ACLs |title=ACLs |website=Linux NFS}}</ref> NFSv4.1 ACLs are a superset of both NT ACLs and POSIX draft ACLs.<ref>{{cite web |title=Mapping Between NFSv4 and Posix Draft ACLs |url=https://tools.ietf.org/id/draft-ietf-nfsv4-acl-mapping-05.txt}}</ref> [[Samba (software)|Samba]] supports saving the NT ACLs of SMB-shared files in many ways, one of which is as NFSv4-encoded ACLs.<ref>{{cite web |title=vfs_nfs4acl_xattr(8) |url=https://www.samba.org/samba/docs/current/man-html/vfs_nfs4acl_xattr.8.html |website=Samba Manual}}</ref>


=== Active Directory ACLs ===
=== Active Directory ACLs ===


Microsoft's Active Directory service implements an DHKO1X8W7Z server that store and disseminate configuration information about users and computers in a domain. Active Directory extends the LDAP specification by adding the same type of access-control list mechanism as Windows&nbsp;NT uses for the NTFS filesystem. Windows&nbsp;2000 then extended the syntax for access-control entries such that they could not only grant or deny access to entire LDAP objects, but also to individual attributes within these objects.
[[Microsoft]]'s [[Active Directory]] service implements an [[LDAP]] server that store and disseminate configuration information about users and computers in a domain.<ref>{{cite web |title=[MS-ADTS]: Active Directory Technical Specification |url=https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d2435927-0999-4c62-8c6d-13ba31a52e1a}}</ref> Active Directory extends the LDAP specification by adding the same type of access-control list mechanism as Windows&nbsp;NT uses for the NTFS filesystem. Windows&nbsp;2000 then extended the syntax for access-control entries such that they could not only grant or deny access to entire LDAP objects, but also to individual attributes within these objects.<ref>{{cite journal |last=Swift |first=Michael M. |title=Improving the granularity of access control for [[Windows 2000]] |journal=ACM Transactions on Information and System Security |volume=5 |issue=4| pages=398–437 |date=November 2002 |doi=10.1145/581271.581273 |s2cid=10702162}}</ref>


=== Networking ACLs ===
=== Networking ACLs ===
On some types of proprietary computer hardware (in particular, routers and switches), an access-control list provides rules that are applied to port numbers or IP addresses that are available on a host or other layer&nbsp;3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network domain names, this is a questionable idea because individual TCP, UDP, and ICMP headers do not contain domain names. Consequently, the device enforcing the access-control list must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the access-control list is protecting. Both individual servers and routers can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like firewalls, ACLs could be subject to security regulations and standards such as PCI DSS.
On some types of proprietary computer hardware (in particular, [[router (computing)|routers]] and [[Network switch|switches]]), an access-control list provides rules that are applied to [[Port (computer networking)|port numbers]] or [[IP address]]es that are available on a [[server (computing)|host]] or other [[Network Layer|layer&nbsp;3]], each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network [[domain name]]s, this is a questionable idea because individual [[Transmission Control Protocol|TCP]], [[User Datagram Protocol|UDP]], and [[Internet Control Message Protocol|ICMP]] headers do not contain domain names. Consequently, the device enforcing the access-control list must separately [[Name resolution (computer systems)|resolve names]] to numeric addresses. This presents an additional [[attack surface]] for an attacker who is seeking to compromise security of the system which the access-control list is protecting. Both individual [[server (computing)|servers]] and [[router (computing)|routers]] can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to [[firewall (networking)|firewalls]]. Like firewalls, ACLs could be subject to security regulations and standards such as [[PCI&nbsp;DSS]].


=== SQL implementations ===
=== SQL implementations ===
ACL algorithms have been ported to SQL and to relational database systems. Many "modern" (2000s and 2010s) SQL-based systems, like enterprise resource planning and content management systems, have used ACL models in their administration modules.
ACL algorithms have been ported to [[SQL]] and to [[Relational database management system|relational database systems]]. Many "modern" (2000s and 2010s) [[SQL]]-based systems, like [[enterprise resource planning]] and [[Content management system|content management]] systems, have used ACL models in their administration modules.


== Comparing with RBAC ==
== Comparing with RBAC ==
The main alternative to the ACL model is the role-based access-control (RBAC) model. A "minimal RBAC model", ''RBACm'', can be compared with an ACL mechanism, ''ACLg'', where only groups are permitted as entries in the ACL. Barkley (1997) showed that ''RBACm'' and ''ACLg'' are equivalent.
The main alternative to the ACL model is the [[role-based access control|role-based access-control]] (RBAC) model. A "minimal RBAC model", ''RBACm'', can be compared with an ACL mechanism, ''ACLg'', where only groups are permitted as entries in the ACL. Barkley (1997)<ref>J. Barkley (1997) "[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.107.6366 Comparing simple role based access control models and access control lists]", In "Proceedings of the second ACM workshop on Role-based access control", pages 127-132.</ref> showed that ''RBACm'' and ''ACLg'' are equivalent.


In modern SQL implementations, ACLs also manage groups and inheritance in a hierarchy of groups. So "modern ACLs" can express all that RBAC express and are notably powerful (compared to "old ACLs") in their ability to express access-control policy in terms of the way in which administrators view organizations.
In modern SQL implementations, ACLs also manage groups and inheritance in a hierarchy of groups. So "modern ACLs" can express all that RBAC express and are notably powerful (compared to "old ACLs") in their ability to express access-control policy in terms of the way in which administrators view organizations.


For data interchange, and for "high-level comparisons", ACL data can be translated to XACML.
For data interchange, and for "high-level comparisons", ACL data can be translated to [[XACML]].<ref>G. Karjoth, A. Schade and E. Van Herreweghen (2008) "[http://www.acsac.org/openconf2008/modules/request.php?module=oc_program&action=view.php&id=73 Implementing ACL-based Policies in XACML]", In "2008 Annual Computer Security Applications Conference".</ref>


== See also ==
== See also ==
* [[Access token manager]]
* Cacls
* [[Cacls]]
* Capability-based security
* [[Capability-based security]]
* C-list
* [[C-list (computer security)|C-list]]
* Confused deputy problem
* [[Confused deputy problem]]
* DACL
* [[DACL]]
* Extended file attributes
* [[Extended file attributes]]
* File-system permissions
* [[File-system permissions]]
* Privilege (computing)
* [[Privilege (computing)]]
* Role-based access control (RBAC)
* [[Role-based access control]] (RBAC)

== Notes ==
{{Notelist}}


== References ==
== References ==
Line 117: Line 131:
}}
}}
* {{cite web
* {{cite web
| url = http://msdn.microsoft.com/en-us/library/aa374872(VS.85).aspx
| url = https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
| title=Access Control Lists
| title=Access Control Lists
| date=2012-10-26
| date=2023-02-07
| publisher=[[MSDN Library]]
| publisher=[[Microsoft Learn]]
| access-date=2013-04-08
| access-date=2024-05-15
}}
}}
* {{cite web
* {{cite web
| url = https://technet.microsoft.com/en-us/library/cc783530(WS.10).aspx
| url = https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783530(v=ws.10)
| title=How Permissions Work
| title=How Permissions Work
| date=2003-03-28
| date=2013-07-03
| publisher=[[Microsoft Technet]]
| publisher=[[Microsoft Learn]]
| access-date=2013-04-08
| access-date=2024-05-15
}}
}}
{{refend}}
{{refend}}

Latest revision as of 08:56, 15 May 2024

In computer security, an access-control list (ACL) is a list of permissions[a] associated with a system resource (object or facility). An ACL specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resources.[1] Each entry in a typical ACL specifies a subject and an operation. For instance,

  • If a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and give Bob permission only to read it.
  • If the RACF profile CONSOLE CLASS(TSOAUTH) has an ACL that contains (ALICE:READ), this would give ALICE permission to use the TSO CONSOLE command.

Implementations[edit]

Many kinds of operating systems implement ACLs or have a historical implementation; the first implementation of ACLs was in the filesystem of Multics in 1965.[2][3]

Filesystem ACLs[edit]

A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access-control entries (ACEs) in the Microsoft Windows NT,[4] OpenVMS, and Unix-like operating systems such as Linux, macOS, and Solaris. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.

One of the first operating systems to provide filesystem ACLs was Multics. PRIMOS featured ACLs at least as early as 1984.[5]

In the 1990s the ACL and RBAC models were extensively tested[by whom?] and used to administer file permissions.

POSIX ACL[edit]

POSIX 1003.1e/1003.2c working group made an effort to standardize ACLs, resulting in what is now known as "POSIX.1e ACL" or simply "POSIX ACL".[6] The POSIX.1e/POSIX.2c drafts were withdrawn in 1997 due to participants losing interest for funding the project and turning to more powerful alternatives such as NFSv4 ACL.[7] As of December 2019, no live sources of the draft could be found on the Internet, but it can still be found in the Internet Archive.[8]

Most of the Unix and Unix-like operating systems (e.g. Linux since 2.5.46 or November 2002,[9] FreeBSD, or Solaris) support POSIX.1e ACLs (not necessarily draft 17). ACLs are usually stored in the extended attributes of a file on these systems.

NFSv4 ACL[edit]

NFSv4 ACLs are much more powerful than POSIX draft ACLs. Unlike draft POSIX ACLs, NFSv4 ACLs are defined by an actually published standard, as part of the Network File System.

NFSv4 ACLs are supported by many Unix and Unix-like operating systems. Examples include AIX, FreeBSD,[10] Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem,[11] support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem[12] and the more recent Richacls, which brings NFSv4 ACLs support for Ext4 filesystem.[13] As with POSIX ACLs, NFSv4 ACLs are usually stored as extended attributes on Unix-like systems.

NFSv4 ACLs are organized nearly identically to the Windows NT ACLs used in NTFS.[14] NFSv4.1 ACLs are a superset of both NT ACLs and POSIX draft ACLs.[15] Samba supports saving the NT ACLs of SMB-shared files in many ways, one of which is as NFSv4-encoded ACLs.[16]

Active Directory ACLs[edit]

Microsoft's Active Directory service implements an LDAP server that store and disseminate configuration information about users and computers in a domain.[17] Active Directory extends the LDAP specification by adding the same type of access-control list mechanism as Windows NT uses for the NTFS filesystem. Windows 2000 then extended the syntax for access-control entries such that they could not only grant or deny access to entire LDAP objects, but also to individual attributes within these objects.[18]

Networking ACLs[edit]

On some types of proprietary computer hardware (in particular, routers and switches), an access-control list provides rules that are applied to port numbers or IP addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network domain names, this is a questionable idea because individual TCP, UDP, and ICMP headers do not contain domain names. Consequently, the device enforcing the access-control list must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the access-control list is protecting. Both individual servers and routers can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like firewalls, ACLs could be subject to security regulations and standards such as PCI DSS.

SQL implementations[edit]

ACL algorithms have been ported to SQL and to relational database systems. Many "modern" (2000s and 2010s) SQL-based systems, like enterprise resource planning and content management systems, have used ACL models in their administration modules.

Comparing with RBAC[edit]

The main alternative to the ACL model is the role-based access-control (RBAC) model. A "minimal RBAC model", RBACm, can be compared with an ACL mechanism, ACLg, where only groups are permitted as entries in the ACL. Barkley (1997)[19] showed that RBACm and ACLg are equivalent.

In modern SQL implementations, ACLs also manage groups and inheritance in a hierarchy of groups. So "modern ACLs" can express all that RBAC express and are notably powerful (compared to "old ACLs") in their ability to express access-control policy in terms of the way in which administrators view organizations.

For data interchange, and for "high-level comparisons", ACL data can be translated to XACML.[20]

See also[edit]

Notes[edit]

  1. ^ E.g., File-system permissions, permission to perform specific action.

References[edit]

  1. ^ R. Shirey (August 2007). Internet Security Glossary, Version 2. doi:10.17487/RFC4949. RFC 4949. Retrieved May 19, 2023.
  2. ^ Richard E. Smith. Elementary Information Security. p. 150.
  3. ^ Daley, R. C.; Neumann, P. G. (1965). "A general-purpose file system for secondary storage". AFIPS '65 (Fall, part I): Proceedings of the November 30--December 1, 1965, fall joint computer conference, part I. ACM Press. p. 213. doi:10.1145/1463891.1463915.
  4. ^ "Managing Authorization and Access Control". Microsoft Learn. 2009-09-11. Retrieved 2024-05-15.
  5. ^ "P.S.I. Pacer Software, Inc. Gnet-II revision 3.0". Communications. Computerworld. Vol. 18, no. 21. 1984-05-21. p. 54. ISSN 0010-4841. Retrieved 2017-06-30. The new version of Gnet-II (revision 3.0) has added a line-security mechanism which is implemented under the Primos ACL subsystem.
  6. ^ Grünbacher, Andreas. "POSIX Access Control Lists on Linux". Usenix. Retrieved 12 December 2019.
  7. ^ wurtzkurdle. "Why was POSIX.1e withdrawn?". Unix StackExchange. Retrieved 12 December 2019.
  8. ^ Trümper, Winfried (February 28, 1999). "Summary about Posix.1e". Archived from the original on 2008-07-23.
  9. ^ "Red Hat Enterprise Linux AS 3 Release Notes (x86 Edition)". Red Hat. 2003. Archived from the original on 2013-12-02. Retrieved 2013-04-08. EA (Extended Attributes) and ACL (Access Control Lists) functionality is now available for ext3 file systems. In addition, ACL functionality is available for NFS.
  10. ^ "NFSv4 ACLs". FreeBSD. 2011-09-12. Retrieved 2013-04-08.
  11. ^ "Chapter 8 Using ACLs and Attributes to Protect ZFS Files". Oracle Corporation. 2009-10-01. Retrieved 2013-04-08.
  12. ^ Grünbacher, Andreas (May 2008). "Native NFSv4 ACLs on Linux". SUSE. Archived from the original on 2013-06-20. Retrieved 2013-04-08.
  13. ^ Grünbacher, Andreas (July–September 2010). "Richacls – Native NFSv4 ACLs on Linux". bestbits.at. Archived from the original on 2013-03-20. Retrieved 2013-04-08.
  14. ^ "ACLs". Linux NFS.
  15. ^ "Mapping Between NFSv4 and Posix Draft ACLs".
  16. ^ "vfs_nfs4acl_xattr(8)". Samba Manual.
  17. ^ "[MS-ADTS]: Active Directory Technical Specification".
  18. ^ Swift, Michael M. (November 2002). "Improving the granularity of access control for Windows 2000". ACM Transactions on Information and System Security. 5 (4): 398–437. doi:10.1145/581271.581273. S2CID 10702162.
  19. ^ J. Barkley (1997) "Comparing simple role based access control models and access control lists", In "Proceedings of the second ACM workshop on Role-based access control", pages 127-132.
  20. ^ G. Karjoth, A. Schade and E. Van Herreweghen (2008) "Implementing ACL-based Policies in XACML", In "2008 Annual Computer Security Applications Conference".

Further reading[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Access-control_list&oldid=1223942308"