Subject, object, operation and permission

From Erights

(Difference between revisions)
Jump to: navigation, search
m (added an ?hidden? link to an paulgraham article. Please remove it if it doesnt belong.)
Line 1: Line 1:
-
We use the terms '''subject''', '''object''', '''operation''' and '''permission''' consistently with a standard access control literature.
+
From a security point of view, we recognize:
-
 
+
* subjects
-
== Definition ==
+
* objects
-
 
+
'''Subjects''' are active entities (e.g. UNIX processes) with some behavior. Subjects can designate '''objects''' and try to perform some supported '''operations''' with them.
-
From a security point of view, we recognize '''subjects''' and '''objects'''
+
-
 
+
-
'''Subjects''' are active entities (e.g. UNIX processes) with some behavior. '''Subjects''' can designate '''objects''' and try to perform some supported '''operations''' with them.
+
What kind of operations can be performed with an object depends on its type.
What kind of operations can be performed with an object depends on its type.
Line 11: Line 8:
In general, the set of existing objects and subjects changes over time.
In general, the set of existing objects and subjects changes over time.
-
'''Permissions''' is a relation that defines which operations on what objects are permitted for particular subjects. One way how to capture permissions is the [[protection matrix]].
+
'''Permissions''' is a relation (among subjects, objects and their operations) that defines which operations of what objects are permitted for particular subjects.
-
 
+
-
== Notes ==
+
-
 
+
-
People (outside capability community) often confuse the following two terms:
+
-
* '''permissions''' (defined in this article)
+
-
* and [[authority]].
+
-
Real security audit cannot be performed without determining the [[authority]] of particular '''subjects'''.
+
-
 
+
-
== See also ==
+
-
 
+
-
These are standard notions and they are defined in various other places:
+
-
* in the [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 MINIX Book] (Section 5.5)
+
-
* [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security in Wikipedia].
+
-
<!-- [http://www.paulgraham.com/reesoo.html] <-- I dont know if this belongs here or not -Zarutian -->
+

Revision as of 18:59, 14 June 2009

From a security point of view, we recognize:

  • subjects
  • objects

Subjects are active entities (e.g. UNIX processes) with some behavior. Subjects can designate objects and try to perform some supported operations with them.

What kind of operations can be performed with an object depends on its type.

In general, the set of existing objects and subjects changes over time.

Permissions is a relation (among subjects, objects and their operations) that defines which operations of what objects are permitted for particular subjects.

Retrieved from "http://wiki.erights.org/wiki/Subject,_object,_operation_and_permission"
Personal tools
more tools