![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0020: DAC Authority For Assignment
NUMBER: I-0020
STATUS: Approved by CCEVS Management and Mailed to Public Mailing
List
TITLE: DAC Authority For Assignment
APPROVAL POSTING: [announce 0331]
EFFECTIVE: 1993-10-20
REQUIREMENT: Discretionary Access Control
CRITERIA CLASSES: C1, C2, B1, B2, B3, A1
DOCUMENT(S): <None>
RELATED TO:
I-0220 Object Creator Need Not Have Capability To Specify DAC (C1-CI-03-85)
STATEMENT:
Starting at C1 the following interprets the requirement that ``The enforcement mechanism ... shall allow users to specify and control sharing ...'' At C2 it also interprets the requirement that ``Access permission ... shall only be assigned by authorized users.''A TCB need not provide all users with the capability to control the sharing of objects. A DAC policy where only system administrators assign access to objects can satisfy the DAC requirement. The SFUG shall clearly identify the roles or user types (e.g., system administrator) who can control sharing.
PROJECTED IMPACT:
Negligible impact anticipated.SUPPORT:
This restates formal interpretation C1-CI-03-85 (I-0220) and extends it to C1.Products vary regarding their definition of ``authorized users'' and ``assign''. UNIX systems usually make the creator of an object the ``owner'', the only untrusted user who can alter the access control data. Multics included the ability to specify in the access control data who can modify such data. A few products, mostly those with access profiles attached to the user rather than access lists attached to the object, allow only users in the system administrator role to alter the access control data. All of these variations are legal DAC policies. The administrator-controlled policy has to ensure that, if untrusted subjects are allowed to create objects, no untrusted subject has access to newly created objects until the necessary administrative action is performed.