Capability

To demonstrate how capabilities can be represented, we define function 75#75, which takes the set of policies 9#9 and particular condition 76#76 as arguments and returns a subset 74#74, where this condition appears. Intuitively, this function returns all policy statements associated with the given condition.

77#77

Note that if the condition constant 76#76 specifies particular access identity (subject), then the returned set of policies 74#74 conceptually represents a capability possessed by the subject identified by the condition 76#76. Next the set 74#74 can be passed to the 57#57 function along with an authorization request for further evaluation.

Representation of a capability is quite similar to that of an ACL. A capability is associated with each subject, so the subject is implicit and is omitted from the policy element. Thus, each policy statement contains only elements, which represent objects and access rights.

More detailed discussion of the implementation of ACL and capability can be found in [14].