next up previous
Next: Rule-Based Access Control Policy Up: Authorization Previous: Authorization

Access Control Lists


Every file and directory in JNFS has an Access Control List (ACL) associated with it. Each ACL is composed of one or more owners and their positive and negative permissions, as well as any number of groups which also have some form of access to the file. The PermissionGranter provides both getAccessControl() and setAccessControl() methods to obtain and modify ACLs. Only an owner of a file or the JNFS administrator may change a file's ACL.

The PermissionGranter recognizes a small set of Permissions that could be granted to a user or group for any file or directory. These include:

In order to check if a user should be granted a particular Permission to a file, the PermissionGranter provides the checkPermission() method. Unlike the getAccessControl() method which only returns the ACL for an individual file, checkPermission() implements whatever security policy the file system chooses to use. For example, in UNIX, a user may read a file only if that user is granted both the Read permission for that file as well as the Execute permission for every parent directory of that file.

Michael John Radwin
Thu May 8 10:49:26 EDT 1997