We will endeavour to give just a flavour of the access control mechanisms on offer.The access control standards are motivated by two guiding principles.
The basic access control mechanism is an Acccess Control Item which is merely a list which specifies the items that it controls, the user classes that it protects against and the permissions that apply (ie the type of access- read, write etc). They also carry a precedence number which is used to decide which ACI to apply in a particular case. The granularity of the ACI's can go down to a single attribute in an entry or they may refer to a complete subtree of the directory.
The individual users classes are
A particular item in the DIT may be referenced by several ACI`s. It is up the Access Control Decision Funciton to decide how these are combined to make the decision to grant access for a particular operation or not.
The Access Contol Specific Area is a section of the DIT which is grouped together for access control purposes. This may or may not coincide with an Autonomous Administrative Area (an AAA is a area of the DIT for whose schema is adiministered by one body). For example a large multinational could constitute an AAA which would wish to lay down a rigid schema and naming convention for the information in its subtree. However by splitting it into several ACSA`s it can delegate the access contol adminstration down to its individual divisions.
The ACSA's may be further broken down into Access Control Inner Administrative areas. Access control for any entry within an ACIA is specifed by the ACIA and any enclosing ACIA's and ACSA's. If the ACSA's sets permissions to some sensible defaults with low precedence values it can allow the ACIA's to specify different permissions with higher precednce values.
This scheme of breaking down access control domains is very much in line with the distributed and decentralised administration philosophies which run through the whole X.500 standard.
As was previously stated, the ACI's which apply to an entry are worked out from the Entry ACI attributes and the Perscriptive ACI attributes which come form the domains which enclose the entry.In order to locate these the DSA must go up the tree until it reaches a specific administration which specifies the top of an ACSA.
The decision algorithm which carries out the ACDF may be broadly outlined as follows
1.Work out all the ACI's which apply in some way to the entry or attribute
2.Select the ACI or ACI's with the highest precedence and discard all ACI's with precedence numbers below this.
3.Select the ACI or ACI's which are most specific in the user class they refer to. For examples a rule which applies to a User Group will be superceded by a rule which applies to a particular Name in this group.
4.If there is still more than one ACI then selct those which are most specific about the pieces of information they refer to.
5.If (and only if) all the remaining ACI's give permision for the transaction, then it is allowed to go ahead.