11.2 Access Matrix

 

View protection as a matrix (access matrix)

Rows represent domains

Columns represent objects

Access (i, j) is the set of operations that a process executing in Domain i can invoke on Object j

 

Access Matrix

 

 

Figure A

 

Use of Access Matrix

 

 If a process in Domain Di tries to do “op” on object Oj then “op” must be in the access matrix.

Can be expanded to dynamic protection.

     1. Operations to add, delete access rights.

     2. Special access rights:

     3. owner of Oi

     4. copy op from Oi to Oj

     5. control – Di can modify Dj access rights

     6. transfer – switch from domain Di to Dj

Access matrix design separates mechanism from policy.

     1. Mechanism

     2. Operating system provides access-matrix + rules.

     3. If ensures that the matrix is only manipulated by

authorized agents and that rules are strictly enforced.

     1. Policy

     2. User dictates policy.

     3. Who can access what object and in what mode.

 

 

                                                                                                                                                                                                                    Back