Access Control

Once it has been established who exactly a user is, we must then decide what operations we will allow this user to carry out, and on which sections of the directory. This is known as acces control and the specifications of the 1993 standard on the matter are rather complex - they need to be in order to offer a wide range of system administrators the flexibility to protect their information resources.

We will endeavour to give just a flavour of the access control mechanisms on offer.The access control standards are motivated by two guiding principles.

The information in the directory is not present (from the perspective of the user) unless the user has permissions to access this piece of information. This goes beyond the access control in, say, a UNIX file system where if you try to access a file you may be told that you do not have access permissions for that file. In the X.500 Directory the message returned if you try to access an entry for which you do not have permissions will be the same as if the entry didn't exist.
This scheme is designed to keep the structure of the Directory Information Tree secret from unauthorised users. If this scheme were not used then people could guess at the structure of the directory and have their guesses judged as correct or incorrect. Eventually compromising information could be revealed.

The second principle refers to the precedence of the access control mechanisms which apply to a particular user trying to get a particular piece of information from the directory.This arises because many access control mechanisms may apply to a particular part of the directory.

Access Control Items

The basic access control mechanism is an Acccess Control Item which is merely a list which specifies the items that it controls, the user classes that it protects against and the permissions that apply (ie the type of access- read, write etc). They also carry a precedence number which is used to decide which ACI to apply in a particular case. The granularity of the ACI's can go down to a single attribute in an entry or they may refer to a complete subtree of the directory.

The individual users classes are

Name - The Distinguished Name of a user.
This Entry - User whose name matches that of entry being accessed.
User Group - The Distinguished Name of a group.
Subtree - The Distinguished Name of any non leaf node in the DIT.
All Users - Public Access

The permissions for a protected entry are

Browse
Export
Import
Modify
Rename
ReturnDN

These permissions do not match exactly the operations provided by most DSA's. Each operation will require the possesion of one or more of these permissions. For example the Search operation requires Browse permissions for each entry in the scope of the search and ReturnDN premissions for each entry.P>

Access Domains

A particular item in the DIT may be referenced by several ACI`s. It is up the Access Control Decision Funciton to decide how these are combined to make the decision to grant access for a particular operation or not.

The Access Contol Specific Area is a section of the DIT which is grouped together for access control purposes. This may or may not coincide with an Autonomous Administrative Area (an AAA is a area of the DIT for whose schema is adiministered by one body). For example a large multinational could constitute an AAA which would wish to lay down a rigid schema and naming convention for the information in its subtree. However by splitting it into several ACSA`s it can delegate the access contol adminstration down to its individual divisions.

The ACSA's may be further broken down into Access Control Inner Administrative areas. Access control for any entry within an ACIA is specifed by the ACIA and any enclosing ACIA's and ACSA's. If the ACSA's sets permissions to some sensible defaults with low precedence values it can allow the ACIA's to specify different permissions with higher precednce values.

This scheme of breaking down access control domains is very much in line with the distributed and decentralised administration philosophies which run through the whole X.500 standard.

Access Control Decision Function

As was previously stated, the ACI's which apply to an entry are worked out from the Entry ACI attributes and the Perscriptive ACI attributes which come form the domains which enclose the entry.In order to locate these the DSA must go up the tree until it reaches a specific administration which specifies the top of an ACSA.

The decision algorithm which carries out the ACDF may be broadly outlined as follows

1.Work out all the ACI's which apply in some way to the entry or attribute in question.
2.Select the ACI or ACI's with the highest precedence and discard all ACI's with precedence numbers below this.
3.Select the ACI or ACI's which are most specific in the user class they refer to. For examples a rule which applies to a User Group will be superceded by a rule which applies to a particular Name in this group.
4.If there is still more than one ACI then selct those which are most specific about the pieces of information they refer to.
5.If (and only if) all the remaining ACI's give permision for the transaction, then it is allowed to go ahead.