Network Working Group E. Stokes Request for Comments: 2820 D. Byrne Category: Informational IBM B. Blakley Dascom P. Behera Netscape May 2000 Access Control Requirements for LDAP Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved.
AbstractThis document describes the fundamental requirements of an access control list (ACL) model for the Lightweight Directory Application Protocol (LDAP) directory service. It is intended to be a gathering place for access control requirements needed to provide authorized access to and interoperability between directories. The keywords "MUST", "SHOULD", and "MAY" used in this document are to be interpreted as described in [bradner97]. RFC 2119 terminology is used in this document.
S3. Multiple policies of equal specificity SHOULD be combined in some easily-understood way (e.g. union or intersection). This is best understood by example. Suppose user A belongs to 3 groups and those 3 groups are listed on the ACL. Also suppose that the permissions for each of those groups are not identical. Each group is of equal specificity (e.g. each group is listed on the ACL) and the policy for granting user A access (given the example) SHOULD be combined in some easily understood way, such as by intersection or union. For example, an intersection policy here may yield a more limited access for user A than a union policy. S4. Newly created directory entries SHOULD be subject to a secure default policy. S5. Access policy SHOULD NOT be expressed in terms of attributes which the directory administrator or his organization cannot administer (e.g. groups whose membership is administered by another organization). S6. Access policy SHOULD NOT be expressed in terms of attributes which are easily forged (e.g. IP addresses). There may be valid reasons for enabling access based on attributes that are easily forged and the behavior/implications of doing that should be documented. S7. Humans (including administrators) SHOULD NOT be required to manage access policy on the basis of attributes which are not "human-readable" (e.g. IP addresses). S8. It MUST be possible to deny a subject the right to invoke a directory operation. The system SHOULD NOT require a specific implementation of denial (e.g. explicit denial, implicit denial). S9. The system MUST be able (semantically) to support either default-grant or default-deny semantics (not simultaneously). S10. The system MUST be able to support either union semantics or intersection semantics for aggregate subjects (not simultaneously). S11. Absence of policy SHOULD be interpretable as grant or deny. Deny takes precedence over grant among entries of equal specificity. S12. ACL policy resolution MUST NOT depend on the order of entries in the ACL. S13. Rights management MUST have no side effects. Granting a subject one right to an object MUST NOT implicitly grant the same or any other subject a different right to the same object. Granting a
privilege attribute to one subject MUST NOT implicitly grant the same privilege attribute to any other subject. Granting a privilege attribute to one subject MUST NOT implicitly grant a different privilege attribute to the same or any other subject. Definition: An ACL's "scope" is defined as the set of directory objects governed by the policy it defines; this set of objects is a sub-tree of the directory. Changing the policy asserted by an ACL (by changing one or more of its entries) MUST NOT implicitly change the policy governed by an ACL in a different scope. S14. It SHOULD be possible to apply a single policy to multiple directory entries, even if those entries are in different subtrees. Applying a single policy to multiple directory entries SHOULD NOT require creation and storage of multiple copies of the policy data. The system SHOULD NOT require a specific implementation (e.g. nested groups, named ACLs) of support for policy sharing.
U7. Override of subtree policy MUST be supported on a per- directory-entry basis. U8. Control of access to individual directory entry attributes (not just the whole directory entry) MUST be supported. U9. Administrator MUST be able to coarsen access policy granularity by grouping attributes with similar access sensitivities. U10. Control of access on a per-user granularity MUST be supported. U11. Administrator MUST be able to aggregate users (for example, by assigning them to groups or roles) to simplify administration. U12. It MUST be possible to review "effective access" of any user, group, or role to any entry's attributes. This aids the administrator in setting the correct policy. U13. A single administrator SHOULD be able to define policy for the entire directory tree. An administrator MUST be able to delegate policy administration for specific subtrees to other users. This allows for the partitioning of the entire directory tree for policy administration, but still allows a single policy to be defined for the entire tree independent of partitioning. (Partition in this context means scope of administration). An administrator MUST be able to create new partitions at any point in the directory tree, and MUST be able to merge a superior and subordinate partition. An administrator MUST be able to configure whether delegated access control information from superior partitions is to be accepted or not. U14. It MUST be possible to authorize users to traverse directory structure even if they are not authorized to examine or modify some traversed entries; it MUST also be possible to prohibit this. The tree structure MUST be able to be protected from view if so desired by the administrator. U15. It MUST be possible to create publicly readable entries, which may be read even by unauthenticated clients. U16. The model for combining multiple access control list entries referring to a single individual MUST be easy to understand. U17. Administrator MUST be able to determine where inherited policy information comes from, that is, where ACLs are located and which ACLs were applied. Where inheritance of ACLs is applied, it must be able to be shown how/where that new ACL is derived from.
U18. It SHOULD be possible for the administrator to configure the access control system to permit users to grant additional access control rights for entries which they create.
Privilege attributes - Attributes, associated with a security subject that, when matched against control attributes of a security object, are used to grant or deny access to that subject. Group and role memberships are examples of privilege attributes. Security attributes - A general term covering both privilege attributes and control attributes. The use of security attributes is defined by a security policy. Security object - An entity in a passive role to which a security policy applies. Security policy - A general term covering both access control policies and authorization policies. Security subject - An entity in an active role to which a security policy applies. [ldap] Kille, S., Howes, T. and M. Wahl, "Lightweight Directory Access Protocol (v3)", RFC 2251, August 1997. [ecma] ECMA, "Security in Open Systems: A Security Framework" ECMA TR/46, July 1988. [bradner97] Bradner, S., "Key Words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.