Access Control: Mandatory vs Discretionary
Gautier DI FOLCO December 31, 2023 [dev] #access control #securityWe have seen many schemes since the first log of the series.
Most of the time, our draft implementations were focused on the user/actor.
That's called Mandatory access control (MAC), usually enforced by the system (and centralized), it consists of a set of policies specifying users/actors clearance (their permissions).
It is opposed to Discretionary access control (DAC), usually decentralized, policies are expressed around object/resource.
It's not clear, but usually actions depends on ownership (i.e. file owner can read/write/execute a given file, the other members of the owner's group can only read/execute, and every other can only read it).
Note: in the next log, we'll have a look at another way (i.e. not ownership) to express DAC.
Globally MAC are harder to implement, clearer and more secure, but more rigid.