DAV ACLs Lisa Dusseault Microsoft Agenda Background Scenarios

DAV ACLs Lisa Dusseault Microsoft

Agenda • Background • Scenarios • Goals

Background • draft-ietf-webdav-acreq-01. txt • draft-ietf-webdav-acl-00. txt • Terms – ACL – ACE – Principal

File System ACLs • Resource x principal x right --> yes/no • Each resource (file or directory) has its own list • Each list has entries for various principals and rights • “All Users” principal • Groups as well as individual users

File System ACLs • Common rights: read, write, execute • Other rights: list members, read ACLs, write ACLs, synchronize • Directories may be treated differently than files • Access rights may be denied as well as granted

File System ACLs • Ownership • Inheritance • Rules for avoiding conflict

Scenarios • Different authors on different resources within one collection • Deny access to a member of a group • Delegation without relinquishing control • Disallow from seeing the presence of a resource in a collection? ? • Roles: Authors, editors, maintainers, managers, contributors. . .

Goals • Allow access controls to be read and set • Support most frequently used rights – read, write, delete, add child, list children, delete children, read ACL, write ACL • Support grant, deny • Access controls must apply to resources and should apply to properties

Goals Continued • Flexible principal specification – userid & domain, group & domain, all authorized • Ability to add and remove access settings without resetting entire list

Inheritance goals • Static inheritance • Dynamic inheritance • Top-down vs. leaf-only inheritance (“walk the path”) • What to do if leaf has empty acls

Extensibility and Discovery • Add new types of rights to resources or types of resources • Ability to discover new rights

Security Goals • Allow administrators to block/log access control requests • Allow resource/collection managers to grant and deny access to read and write access settings

Security: Ownership • “Owner” is the principal to whom permissions cannot be effectively denied • Useful to have “set owner” as well as “set ACLs” right (solves delegation scenario) • Must be supported

Security: Encryption • Encryption could greatly reduce chance of snooping • Snooping is particularly dangerous when account names are sent across the wire • Recommend but not require that implementations support encryption • Allow implementations to refuse nonencrypted requests

Security: Certificates • Could have certificates issuable which mean “I have permission to write to this resource” even though certificate holder is not known • Would access certificates override the access list? • Should we support this use of certificates? • DAV ACL design will be functional without certificate-based delegation.

Predictability Goal • Ability for clients to predict access levels • Completeness • include all administrators that could delete the file? • Evaluation must be unambiguously defined • Behaviour must be entirely consistent or discoverable