[Public Interpretations Database]

I-0232: In Most Cases, There Must Be Discretion In DAC

 
NUMBER:               I-0232
STATUS:               Ready to Prepare for Management/CCIMB

TITLE:                In Most Cases, There Must Be Discretion In DAC

FIRST POST:            [criteria 2386]
MOST RECENT REPOST:    [criteria 2469]

REQUIREMENT:          Discretionary Access Control
CRITERIA CLASSES:     C1, C2, B1, B2, B3, A1
DOCUMENT(S):          Philosophy of Protection
RELATED TO:
     I-0020           DAC Authority For Assignment
     I-0025           Definition Of ``Named Objects''
     I-0053           Public Objects And DAC

STATEMENT:

The following provides technical guidance regarding the entire Discretionary Access Control requirement.

In the absence of suitable justifications in the Philosophy of Protection, it must be possible for an authorized user to set the access control permissions for named objects.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

A key element of a discretionary access control policy is that it is indeed "discretionary"; that is, the user authorized to control an object has the ability to define the accessibility of that object. The term "authorized user" refers to the user authorized to control the sharing of the object, as described in I-0020.

In some cases, a reasonable argument can be constructed for having the accessibility of an object defined by the system, as opposed to a user. A good example of this is a mailbox, where any user can write a message, but only the owner can read a message. Under this interpretation, such policies are not prohibited, but require a convincing justification. Factors to consider in this justification include:

  • The extent to which the source of the information can be identified. In a mailbox, each message is typically labeled with its originator; whereas in a file, the origin of the data is undeterminable. Having identification of the origin of the information allows the recipient to make access decisions.

  • The fan-in and fan-out of the information flow. In a mailbox, there is typically a many-in, one-out flow that cannot be changed. A file, on the other hand, could have many-in and many-out.

Some objects in a product have fixed access controls that limit their accessibility to a single user. Such objects are not considered named objects, as named objects must be usable to share information with other users.