Policy Language

The security policy associated with a protected resource consists of a set of allowed operations, a set of approved principals, and and optional operation constraints. For example, a system administrator can define the following security policy to govern access to a printer: "Joe Smith and members of Department1 are allowed to print documents Monday through Friday, from 9:00AM to 6:00PM". This policy can be described by an ACL mechanism, where for each resource, a list of valid entities is granted a set of access rights. The same policy can be implemented using a capability mechanism. However, traditional ACL and capability abstractions should be extended to allow conditional restrictions on access rights.

Therefore, in implementing a policy, it should be possible to define:
1) access identity
2) grantor identity
3) a set of access rights
4) a set of conditions
The policy language represents a sequence of tokens. Each token consists of:

• Token Type

  Defines the type of the token. Tokens of the same type have the same authorization semantics.

• Defining Authority

  It indicates the authority responsible for defining the value within the token type.

• Value

  The value of the token. Its syntax and semantics are determined by the token type. The name space for the value is defined by the Defining Authority field.

The rest of this section describes the user-level representation of the policy language tokens, which can be used to implement both ACLs and capabilities. More precise syntax is given in the Appendix.