Security policy inheritance

Security policy inheritance simplifies the task of setting and maintaining access controls on a large protected object space.

The power of security policy inheritance is based on the following principle:

Any object without an explicitly attached security policy inherits the policy of its nearest container object with an explicitly set security policy. The inheritance chain is broken when an object has an explicitly attached security policy.

In a typical object space, we need to attach only a few security policies at key locations to secure the entire object space. Therefore, it is called a sparse security policy model.

A typical object space begins with a single explicit security policy attached to the root container object. The root ACL must always exist and can never be removed. Normally, the root ACL is an ACL with little restriction. All objects in the object space inherit this ACL.

When a region or subtree in the object space requires different access control restrictions, you attach an explicit security policy at the root of that subtree. This attachment interrupts the flow of inherited security policies from the primary object space root to that subtree. A new chain of inheritance begins from this newly created explicit security policy.

Parent topic: Sparse security policy model