Access Models And Claims
ACL-based:
Which principals can access this resource?
Design center – protection “at-rest” resources
based on identifier claims
Integrated policy store, decision and enforcement
Can be mandatory or discretionary
Capability-based:
Which resources accessible
by this principal?
Design center – separation of policy store,
decision and enforcement
Capability claims – codify access query, grant or unit of delegation
Rich policy expression, enables distributed environment
“Lock&Key” (hybrid)
Design center – protection “in-motion” resources
Expresses capability claims via cryptographic keys
Policy reference is embedded into resource itself