[Public Interpretations Database]

I-0002: Delayed Revocation Of DAC Access

 
NUMBER:               I-0002
STATUS:               Approved by CCEVS Management and Mailed to Public Mailing
                      List

TITLE:                Delayed Revocation Of DAC Access
APPROVAL POSTING:     [announce 0326]

EFFECTIVE:            1993-10-20

REQUIREMENT:          Discretionary Access Control
CRITERIA CLASSES:     C1, C2, B1, B2, B3, A1
DOCUMENT(S):          Security Features Users Guide
RELATED TO:
     I-0001           Delayed Enforcement Of Authorization Change
     I-0003           Access Validation After Object Label Change
     I-0004           Enforcement Of Audit Settings Consistent With Protection Goals
     I-0239           Subject Access Revocation After Change In User Clearance

STATEMENT:

The following interprets the requirement that ``The TCB shall define and control access between named users and named objects (e.g., files and programs) in the ADP system.''

A TCB is not required to provide any mechanism for the immediate revocation of DAC access to an object where access has already been established (e.g., opened) when access to that object is reduced. It is sufficient for the SFUG and other documentation to describe the product's revocation policy. However, a change in DAC permissions shall have an immediate effect on attempts to establish new access to that object.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

DAC policies may vary and can include immediate revocation (e.g., Multics immediately revokes access to segments) or delayed revocation (e.g., most UNIX systems do not revoke access to already opened files). DAC permission is considered to have been revoked when all subsequent access control decisions by the TCB use the new access control information. It is not required that every operation on an object make an explicit access control decision as long as a previous access control decision was made to permit that operation.

The TCSEC does not specify a restrictive definition of legal DAC policies and, therefore, wide variances are permissible. It is sufficient that the vendor clearly document how revocation is enforced, and consumers must choose the product that best fits their needs.