Home > Access control Concepts > Access Control List (ACL) when to use when Not to use

Access Control List (ACL) when to use when Not to use

Often times, Access Control List (ACL) seems pretty obvious and seems to reduces complications. This is why some greats projects (for example, OpenStack Swift, Amazon’s S3 Storage) use ACL. But ACL is not good always – that is why most of the system does not use ACL.

In this note, we will see when using  ACL is a good choice and when avoiding ACL is wise.

Advantage of ACL / When ACL is a Good Choice:

Simplicity: ACL is very simple to visualize and straight forward to evaluate. While in Access Control System (ex. ABAC or Rule Based System)  policies of many objects are  stored altogether, it is both time-consuming and often time ambiguous which rule will fire for which request. Again, sometime, orders of the policy may complicate the situation more.

Simplicity of using ACL

having multiple policy may may create ambiguity in the evaluation for a request.

To explain, lets assume only permission here is read. For the response of the request for (o1,u1,r), the policy engine need to go through rule1, rule2 and rule 3. Then it will find that the request is valid. In the worst case, the policy engine will go through all the rules and find that the request is denied.

ACL remove ambiguity in the case of which policy should be fired from a policy set.

ACL remove ambiguity  because object is directly associated with the user list.

Using ACL, when the request comes for (o1, read, u1), the protection system only looks at the ACL associated with object o1. There is no ambiguity of using rule should be fired or whether to maintain the order in which rules are stored and so on.

I think, even though I have experimented or investigated, Usage of ACL enhances request evaluation time.

Independent Objects:

When objects are not related to each other for example, how one file is to be accessed is not dependent on external matters, ACL is good choice. In case of Swift  Object Storage or amazon S3, each object is distinct  and accessed independently.

Independent Actions:

Similar to the previous point, when action associated with objects does not affect each other, ACL can be a good choice although this is not a criteria which makes ACL suitable. This property is maintained in both Amazon’s S3 and OpenStack’s Swift Storage.

Disadvantage of ACL / When Not to use ACL:

1. Global View of the System is Lost with ACL:

The Global view / knowledge of the whole system is hard to discover in ACL based environment. For example,  to discover whether  a file/object is accessible by everyone requires to go through every object’s ACL list which is very unscalable.

2.  Global Policy / Generic Policy is tough to implement / maintain:

If a policy affects many objects or many users in the system, it is tough to implement / maintain using ACL alone. For example,  for the policy “Manager (or User Alice) should be able to access all objects (existing & new) in the system“, the system running ACL need to maintain another policy store to maintain this policy.

3. Complex to maintain Dependency in terms of User, Object and Permission:

lets consider following dependency:

dependency at user label:  if employee can access an object, manager can also able to access it.

dependency at object label: If an object is accessible, all the old versions of this object is also accessible.

dependency at permission label: having write permission on an object, also imply read permission on it.

Any kind of the above dependencies is tough  maintainable using ACL alone. Dependency at the user label can be reduced using the concept of Role with ACL, but it may lack many other user dependencies.  In fact, the system that use ACL (ex. OpenStack Swift) has no dependency at the object label and permission. Limited type of user dependency is also supported by Role in Swift.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: