The policy language that we implemented is called Extended Access Control List (EACL). The EACL is a simple policy language designed to describe user-level authorization policy. An EACL is associated with an object (or a group of objects) to be protected and specifies positive and negative access rights with optional set of associated conditions.
A condition block defines a conjunction of a totally ordered set of conditions. Conditions are evaluated in the order they appear within a condition block4.
An EACL entry consists of a positive or negative access right and four condition blocks: a set of pre-conditions, a set of request-result conditions, a set of mid-conditions and a set of post-conditions. Note that a condition block can be empty. If all condition blocks in an EACL entry are empty, the right is granted unconditionally. An example of a practical policy with empty condition blocks is: ``anyone can read file 24#24''.
An EACL consists of an ordered set of disjunctive EACL entries. An EACL representation supports disjunction and conjunction of conditions to activate different control modes.
An EACL is equivalent to disjunctive normal form consisting of a disjunction of conjunctions where no
conjunction contains a disjunction.
For example, a policy ``Tom or Joe can read file 5#5 only if they connect from *.isi.edu domain''
can be represented by an EACL (attached to the file 5#5) with two EACL entries:
``positive access right: read, pre-conditions: Tom, *.isi.edu''
``positive access right: read, pre-conditions: Joe, *.isi.edu''.
More precise EACL syntax and an example are given in the Appendix.
Evaluation of an EACL starts from the first to the last in the list of EACL entries. The resolution of inconsistent authorization is based on ordering. The authorizations which already have been examined take precedence over new authorizations.
An ordered evaluation approach is easier to implement as it allows only partial evaluation of an EACL and resolves the authorization conflicts. The problem with this approach is that it requires total ordering among authorizations. It requires careful writing of the EACL by the security administrator.