[Public Interpretations Database]

I-0220: Object Creator Need Not Have Capability To Specify DAC (C1-CI-03-85)

 
NUMBER:               I-0220
STATUS:               Formally Superseded

TITLE:                Object Creator Need Not Have Capability To Specify DAC
                      (C1-CI-03-85)
SUPERSEDED BY:        
     I-0020           DAC Authority For Assignment

EFFECTIVE:            1985-01-15
SUPERSEDED:           1993-10-20

REQUIREMENT:          Discretionary Access Control
CRITERIA CLASSES:     C2, B1, B2, B3, A1
DOCUMENT(S):          <None>
RELATED TO:
     I-0020           DAC Authority For Assignment

STATEMENT:

The following interprets the requirement that ``...The enforcement mechanism (e.g., self/group/public controls, access control lists) shall allow users to specify and control sharing of those objects by named individuals, or defined groups of individuals, or by both......Access permission to an object by users not already possessing access permission shall only be assigned by authorized users.''

The discretionary access control requirement at the C2 level does not state whose discretion should be used. Therefore, it is not necessary for creators of objects to have the ability to specify and control sharing of those objects (i.e., it is not required that the creator of an object be included as an authorized user for that object due solely to the fact that he is the creator of the object).

Note: This interpretation is a reformatting of an interpretation adopted and announced before the formation of the IWG ("old-style interpretation"). The CRITERION and ACCEPTED INTERPRETATION portions of the "old-style interpretation" are included in this STATEMENT. The remainder of the "old-style interpretation" is included in the SUPPORT of this interpetation. Because a different style was used for "old-style interpretations", the SUPPORT section of this interpretation MUST be read in order to get a full sense of what this interpretation requires.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

This is a reformatting of C1-CI-03-85 into the format of IWG queue entries.

Specific Application:

CA-Sentinel, a DOS/VSE security add-on package, uses authorization lists to implement discretionary access control. Each subject has, attached to it, a list of objects which it may access. A question was raised when it was discovered that only privileged users are authorized to specify and control sharing of objects. These privileged users are the system administrator (SA) and other individuals whom he designates as data security officers (DSO). Objects, when created, are publicly accessable. They are not protected until the SA or a DSO defines them to CA-Sentinel. Once the object is defined, a user may only access that object if the object's name has been inserted into his authorization profile by the SA or a DSO.

Possible Interpretations:

The following are possible interpretations of the above section of the Criteria:

  1. Implicit in the requirement is the ability for every user to specify and control sharing of objects he creates. He must be included as an "authorized user" for those objects.

  2. It is not necessary for the creator of an object to be able to control access to that object in order to satisfy the requirement.

Issues:

  1. The Criteria does not state who should have the discretion in discretionary access control. In some environments, it is desirable to limit the control of ACLs to a few individuals.

  2. Should not each user be able to control the access to objects he creates?

  3. Does this mechanism really meet the intent of the Criteria?

Rationale:

The discretionary access control requirement does not specify who must have the ability to grant access to an object, it only requires that the discretionary security policy of the system shall be enforced. The Center should not mandate one particular implementation of discretionary security (that is, the one in which the creator of an object has the authority to grant access to that object). Therefore, it should not be necessary that creators of objects have the ability to specify and control sharing of those objects.

Also, there are many situations where an installation may not want every user to be able to modify the access control permissions for the objects that he may create. The academic world is a good example of this. It may be desired that students not have the ability to share work among themselves. Government and business may have the same requirement in some instances. It may be necessary for a person to create objects during the course of performing his job but he may not have the authority to release that information to others. Also, when a user creates data on an ADP system, that data becomes the property of the government agency or company for which that individual works. It is not unreasonable, therefore, to only permit a small number of authorized users to control the sharing of that data.

However, in other instances it may be desirable for the installation to let users do their own access control maintenence. Therefore, an installation settable option may be the best way of implementing this facet of discretionary access control.