Access control expression
An access control expression with respect to a computer file system is a list of Boolean expressions attached to a file object. An access control expression specifies a Boolean formula that defines which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical access control expression specifies an operation and an expression and an operation. For instance, if a file object has an access control expression that contains (read=(g:system OR u:Alice), write=(g:system AND !u:Bob)))
, this would give any member of the system group or the user named Alice permission to read the file but would allow only members of the system group to write the file, except for the user named Bob.
Conventional access control lists can be viewed as a subset of access control expressions in which the only combining operation allowed is OR.
Implementations
Few systems implement access control expressions. The MapR file system is one such system.
Move Toward Filesystem Access Control Expressions
Early Unix and Unix-like systems pioneered flexible permission schemes based on user and group membership. Initially, users could only belong to a single group, but this constraint was relaxed to allow membership in multiple groups. With an unlimited number of groups, arbitrarily complex permission schemes could be implemented, but only at the cost of exponentially many groups.
In order to allow more expressivity in the specification of filesystem permissions, a number of competing access control list implementations were developed for Microsoft Windows and Unix and Unix-like systems Linux. Access control lists were a substantial improvement over simple user and group permissions, but still could not easily express some common requirements (such as banning a single user from a group). Access control expressions were developed in response to such needs.
Comparison to access control lists
The permission expressions supported by access control lists are a strict subset of those supported by access control expressions, but they have the virtue of being very fast and direct to implement. The cost of implementing access control expressions is no longer of much concern due to advances in hardware performance.
References
Further reading
- "Syntax of Access Control Expressions". MapR Documentation. Retrieved 2016-06-21.