*** Welcome to piglix ***

Access control expression


An access control expression (ACE), with respect to a computer file system, is a list of Boolean expressions attached to a file object. An ACE specifies a Boolean formula that defines which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACE specifies an operation and an expression and an operation. For instance, if a file object has an ACE that contains (read=(g:system OR u:Alice), write= (g:system AND !(u:Bob))), this would give any member of the system group or the user named Alice permission to read the file but would allow only members of the system group to write the file, except for the user named Bob.

Conventional access control lists (ACL) can be viewed as a subset of ACE's in which the only combining operation allowed is OR.

Few systems implement ACE's. The MapR file system is one such system.

Early Unix and Unix-like systems pioneered flexible permission schemes based on user and group membership. Initially, users could only belong to a single group, but this constraint was relaxed to allow membership in multiple groups. With an unlimited number of groups, arbitrarily complex permission schemes could be implemented, but only at the cost of exponentially many groups.

In order to allow more expressivity in the specification of filesystem permissions, a number of competing access control list implementations were developed for Microsoft Windows and Unix and Unix-like systems Linux. ACLs were a substantial improvement over simple user and group permissions, but still could not easily express some common requirements (such as banning a single user from a group).

ACEs were developed in response to such needs.

The permission expressions supported by ACLs are a strict subset of those supported by ACEs, but they have the virtue of being very fast and direct to implement. The cost of implementing ACEs is no longer of much concern, however, due to advances in hardware performance.


...
Wikipedia

...