Ambient authority

2009-06-15T16:37:51Z

76.64.3.181: Improved clarity of description.

The correct interpretation of this page relies on proper interpretation of words: [[subject, object, operation and permission]].

== Definition ==

IF a subject requests an action, typically by naming an object and an operation on that object, and the action is allowed because the subject has a permission that would allow the action, THEN we say that the subject has '''ambient authority'''.

== Notes ==

In contrast, in a designated authority system, a subject explicitly identifies a subset (usually one) of its permissions, and the action is allowed only if permitted by that subset of permissions.

In an ambient authority system, a subject making a request does not specify which permission to use -- the subject does not identify which permission is claimed to justify allowing the request. Instead, the system looks through all of the subject's permissions and allows the request if any of the subject's permissions would justify allowing the request.

In an ambient authority system, a subject may have many permissions, and there is often no way for the subject to single one of these out. As a result, in these systems, developers may not think of the subject as having multiple different permissions at once; instead, developers might just associate the union of all those permissions with the subject, and call them ''the'' permissions of the subject.

== Examples of ambient authority ==

All UNIX processes run by some user have ''ambient authority'' to manipulate all files owned by that user.

All UNIX processes have ''ambient authority'' to listen to TCP or UDP ports 1024--65535.

All UNIX processes have ''ambient authority'' to send any signal to any other UNIX process.

== Acknowledgement ==

The term ''ambient authority'' was coined by Dean Tribble and Mark S. Miller.

Erights - User contributions [en]

Ambient authority