DAV ACLs

Lisa Lippert

Microsoft

Agenda

• Background– drafts, terms, how file systems use ACLs– Other ACLs efforts

• Scenarios

• Goals– goals, may-haves, won’t-haves

Background

• Drafts:– draft-ietf-webdav-acl-reqts-00.txt – draft-ietf-webdav-acl-00.txt (expired)

• Terms– ACL– ACE– Principal

File System ACLs

• Resource x principal x right --> yes/no

• Each resource (file or directory) has its own list

• Each list has entries for various principals and rights

• Users, groups, “All Users” principal

• Common rights: read, write, execute

• Other rights: list members, read ACLs, write ACLs...

• Directories may be treated differently than files

• Access rights may be denied as well as granted

• Various rules for ownership, inheritance, avoiding conflict

Other ACLs efforts

• LDAP

• IMAP: rfc2086– lookup, read, write, insert, post, create, delete,

administer, keep seen/unseen info across sessions

– Rights apply only to mailboxes

• CAP (Calendar Access Protocol)

• CAT

Scenarios

• Basic allow read/write scenario

• Different authors on different resources within one collection

• Deny access to a member of a group

• Delegation without relinquishing control

• High-security: no evidence that a hidden file exists

Goals

• Allow access controls to be read and set

• Support most frequently used rights– read, write, delete, add child, list children,

delete children, read ACL, write ACL

• Support grant, deny

• Allow access controls to apply to resources and collections

Goals Continued

• Flexible principal specification– userid & domain, group & domain, all, all

authenticated

• Ability to add and remove access settings without resetting entire list

Inheritance goals

• Static inheritance

• Dynamic inheritance

Extensibility and Discovery

• Add new types of rights to resources or types of resources

• Ability to discover new rights

Security: Ownership

• Allow resource managers to grant and deny access to read and write access settings

• Ownership– “Owner” is the principal to whom permissions

cannot be effectively denied – Useful to have “set owner” as well as “set

ACLs” right (solves delegation scenario)– Must be supported

Security: Encryption

• To protect the ACL as sensitive data– Encryption could reduce chance of snooping– Snooping is particularly dangerous when account

names are sent across the wire

• June WG decision: – there should be on-the-wire protection of ACL data– It should be possible to deny unprotected

transactions

May-have

• Property-level access control

• Roles (problematic)• Management: easy to block or log ACLs

Out of Scope

• how groups are or should be modeled

• Use of certificates to prove that a user has access

• Time-out access control

• Absolute predictability

• Sensitivity

• Delegation