Principles are based on scientific sources.
Name | Explicit Authority |
Sources | (Yee, 2002) |
Synonyms | Active Authorization , Explicit Authorization |
Intent | A user’s authorities must only be provided to other actors as a result of an explicit action that is understood by the user to imply granting. |
Motivation | Explicit Authority is perhaps the most basic requirement for controlling authority in any system. In current systems, applications often have authorities to resources such as the network and filesystem without ever having been explicitly granted these authorities. Explicit authority is a direct descendant of Saltzer’s (Saltzer and Schroeder, 1975) least privilege. Requiring each authority to be explicitly granted increases the likelihood that actors will operate with the least authority necessary. Without such a restriction, the user becomes responsible for finding a potentially unlimited set of implicitly granted authorities to disable before the system is safe to use. |
Examples | None |
Guidelines | None |
Tags | Access Control, Controllability |
Log history | [02/14/2016]: Added to repository [07/11/2016]: Added synonyms |
Saltzer, J.H., Schroeder, M.D., 1975. The protection of information in computer systems, in: Proceedings of the IEEE 63-9.
Yee, K.-P., 2002. User interaction design for secure systems, in: Proceedings of the 4th International Conference on Information and Communications Security, ICICS ’02. Springer-Verlag, London, UK, UK, pp. 278–290.