1

2
3
4
5
6
7 Network Working Group E. Stokes
8 Request for Comments: 2820 D. Byrne
9 Category: Informational IBM
10 B. Blakley
11 Dascom
12 P. Behera
13 Netscape
14 May 2000
15
16
17 Access Control Requirements for LDAP
18
19 Status of this Memo
20
21 This memo provides information for the Internet community. It does
22 not specify an Internet standard of any kind. Distribution of this
23 memo is unlimited.
24
25 Copyright Notice
26
27 Copyright (C) The Internet Society (2000). All Rights Reserved.
28
29 Abstract
30
31 This document describes the fundamental requirements of an access
32 control list (ACL) model for the Lightweight Directory Application
33 Protocol (LDAP) directory service. It is intended to be a gathering
34 place for access control requirements needed to provide authorized
35 access to and interoperability between directories.
36
37 The keywords "MUST", "SHOULD", and "MAY" used in this document are to
38 be interpreted as described in [bradner97].
39
40 1. Introduction
41
42 The ability to securely access (replicate and distribute) directory
43 information throughout the network is necessary for successful
44 deployment. LDAP's acceptance as an access protocol for directory
45 information is driving the need to provide an access control model
46 definition for LDAP directory content among servers within an
47 enterprise and the Internet. Currently LDAP does not define an
48 access control model, but is needed to ensure consistent secure
49 access across heterogeneous LDAP implementations. The requirements
50 for access control are critical to the successful deployment and
51 acceptance of LDAP in the market place.
52
53 The RFC 2119 terminology is used in this document.
54
55
56
57
58 Stokes, et al. Informational [Page 1]
59 FF
60 RFC 2820 Access Control Requirements for LDAP May 2000
61
62
63 2. Objectives
64
65 The major objective is to provide a simple, but secure, highly
66 efficient access control model for LDAP while also providing the
67 appropriate flexibility to meet the needs of both the Internet and
68 enterprise environments and policies.
69
 70 This generally leads to several general requirements that are
71 discussed below.
72
73 3. Requirements
74
75 This section is divided into several areas of requirements: general,
76 semantics/policy, usability, and nested groups (an unresolved issue).
77 The requirements are not in any priority order. Examples and
78 explanatory text is provided where deemed necessary. Usability is
79 perhaps the one set of requirements that is generally overlooked, but
80 must be addressed to provide a secure system. Usability is a security
81 issue, not just a nice design goal and requirement. If it is
82 impossible to set and manage a policy for a secure situation that a
83 human can understand, then what was set up will probably be non-
84 secure. We all need to think of usability as a functional security
85 requirement.
86
87 3.1 General
88
89 G1. Model SHOULD be general enough to support extensibility to add
90 desirable features in the future.
91
92 G2. When in doubt, safer is better, especially when establishing
93 defaults.
94
95 G3. ACL administration SHOULD be part of the LDAP protocol. Access
96 control information MUST be an LDAP attribute.
97
98 G4. Object reuse protection SHOULD be provided and MUST NOT inhibit
99 implementation of object reuse. The directory SHOULD support policy
100 controlling the re-creation of deleted DNs, particularly in cases
101 where they are re-created for the purpose of assigning them to a
102 subject other than the owner of the deleted DN.
103
104 3.2 Semantics / Policy
105
106 S1. Omitted as redundant; see U8.
107
108 S2. More specific policies must override less specific ones (e.g.
109 individual user entry in ACL SHOULD take precedence over group entry)
110 for the evaluation of an ACL.
111
112
113
114 Stokes, et al. Informational [Page 2]
115 FF
116 RFC 2820 Access Control Requirements for LDAP May 2000
117
118
119 S3. Multiple policies of equal specificity SHOULD be combined in
120 some easily-understood way (e.g. union or intersection). This is
121 best understood by example. Suppose user A belongs to 3 groups and
122 those 3 groups are listed on the ACL. Also suppose that the
123 permissions for each of those groups are not identical. Each group is
124 of equal specificity (e.g. each group is listed on the ACL) and the
125 policy for granting user A access (given the example) SHOULD be
126 combined in some easily understood way, such as by intersection or
127 union. For example, an intersection policy here may yield a more
128 limited access for user A than a union policy.
129
130 S4. Newly created directory entries SHOULD be subject to a secure
131 default policy.
132
133 S5. Access policy SHOULD NOT be expressed in terms of attributes
134 which the directory administrator or his organization cannot
135 administer (e.g. groups whose membership is administered by another
136 organization).
137
138 S6. Access policy SHOULD NOT be expressed in terms of attributes
139 which are easily forged (e.g. IP addresses). There may be valid
140 reasons for enabling access based on attributes that are easily
141 forged and the behavior/implications of doing that should be
142 documented.
143
144 S7. Humans (including administrators) SHOULD NOT be required to
145 manage access policy on the basis of attributes which are not
146 "human-readable" (e.g. IP addresses).
147
148 S8. It MUST be possible to deny a subject the right to invoke a
149 directory operation. The system SHOULD NOT require a specific
150 implementation of denial (e.g. explicit denial, implicit denial).
151
152 S9. The system MUST be able (semantically) to support either
153 default-grant or default-deny semantics (not simultaneously).
154
155 S10. The system MUST be able to support either union semantics or
156 intersection semantics for aggregate subjects (not simultaneously).
157
158 S11. Absence of policy SHOULD be interpretable as grant or deny.
159 Deny takes precedence over grant among entries of equal specificity.
160
161 S12. ACL policy resolution MUST NOT depend on the order of entries
162 in the ACL.
163
164 S13. Rights management MUST have no side effects. Granting a
165 subject one right to an object MUST NOT implicitly grant the same or
166 any other subject a different right to the same object. Granting a
167
168
169
170 Stokes, et al. Informational [Page 3]
171 FF
172 RFC 2820 Access Control Requirements for LDAP May 2000
173
174
175 privilege attribute to one subject MUST NOT implicitly grant the same
176 privilege attribute to any other subject. Granting a privilege
177 attribute to one subject MUST NOT implicitly grant a different
178 privilege attribute to the same or any other subject. Definition: An
179 ACL's "scope" is defined as the set of directory objects governed by
180 the policy it defines; this set of objects is a sub-tree of the
181 directory. Changing the policy asserted by an ACL (by changing one
182 or more of its entries) MUST NOT implicitly change the policy
183 governed by an ACL in a different scope.
184
185 S14. It SHOULD be possible to apply a single policy to multiple
186 directory entries, even if those entries are in different subtrees.
187 Applying a single policy to multiple directory entries SHOULD NOT
188 require creation and storage of multiple copies of the policy data.
189 The system SHOULD NOT require a specific implementation (e.g. nested
190 groups, named ACLs) of support for policy sharing.
191
192 3.3 Usability (Manageability)
193
194 U1. When in doubt, simpler is better, both at the interface and in
195 the implementation.
196
197 U2. Subjects MUST be drawn from the "natural" LDAP namespace; they
198 should be DNs.
199
200 U3. It SHOULD NOT be possible via ACL administration to lock all
201 users, including all administrators, out of the directory.
202
203 U4. Administrators SHOULD NOT be required to evaluate arbitrary
204 Boolean predicates in order to create or understand policy.
205
206 U5. Administrators SHOULD be able to administer access to
207 directories and their attributes based on their sensitivity, without
208 having to understand the semantics of individual schema elements and
209 their attributes (see U9).
210
211 U6. Management of access to resources in an entire subtree SHOULD
212 require only one ACL (at the subtree root). Note that this makes
213 access control based explicitly on attribute types very hard, unless
214 you constrain the types of entries in subtrees. For example, another
215 attribute is added to an entry. That attribute may fall outside the
216 grouping covered by the ACL and hence require additional
217 administration where the desired affect is indeed a different ACL.
218 Access control information specified in one administrative area MUST
219 NOT have jurisdiction in another area. You SHOULD NOT be able to
220 control access to the aliased entry in the alias. You SHOULD be able
221 to control access to the alias name.
222
223
224
225
226 Stokes, et al. Informational [Page 4]
227 FF
228 RFC 2820 Access Control Requirements for LDAP May 2000
229
230
231 U7. Override of subtree policy MUST be supported on a per-
232 directory-entry basis.
233
234 U8. Control of access to individual directory entry attributes (not
235 just the whole directory entry) MUST be supported.
236
237 U9. Administrator MUST be able to coarsen access policy granularity
238 by grouping attributes with similar access sensitivities.
239
240 U10. Control of access on a per-user granularity MUST be supported.
241
242 U11. Administrator MUST be able to aggregate users (for example, by
243 assigning them to groups or roles) to simplify administration.
244
245 U12. It MUST be possible to review "effective access" of any user,
246 group, or role to any entry's attributes. This aids the administrator
247 in setting the correct policy.
248
249 U13. A single administrator SHOULD be able to define policy for the
250 entire directory tree. An administrator MUST be able to delegate
251 policy administration for specific subtrees to other users. This
252 allows for the partitioning of the entire directory tree for policy
253 administration, but still allows a single policy to be defined for
254 the entire tree independent of partitioning. (Partition in this
255 context means scope of administration). An administrator MUST be able
256 to create new partitions at any point in the directory tree, and MUST
257 be able to merge a superior and subordinate partition. An
258 administrator MUST be able to configure whether delegated access
259 control information from superior partitions is to be accepted or
260 not.
261
262 U14. It MUST be possible to authorize users to traverse directory
263 structure even if they are not authorized to examine or modify some
264 traversed entries; it MUST also be possible to prohibit this. The
265 tree structure MUST be able to be protected from view if so desired
266 by the administrator.
267
268 U15. It MUST be possible to create publicly readable entries, which
269 may be read even by unauthenticated clients.
270
271 U16. The model for combining multiple access control list entries
272 referring to a single individual MUST be easy to understand.
273
274 U17. Administrator MUST be able to determine where inherited policy
275 information comes from, that is, where ACLs are located and which
276 ACLs were applied. Where inheritance of ACLs is applied, it must be
277 able to be shown how/where that new ACL is derived from.
278
279
280
281
282 Stokes, et al. Informational [Page 5]
283 FF
284 RFC 2820 Access Control Requirements for LDAP May 2000
285
286
287 U18. It SHOULD be possible for the administrator to configure the
288 access control system to permit users to grant additional access
289 control rights for entries which they create.
290
291 4. Security Considerations
292
293 Access control is a security consideration. This documents addresses
294 the requirements.
295
296 5. Glossary
297
298 This glossary is intended to aid the novice not versed in depth about
299 access control. It contains a list of terms and their definitions
300 that are commonly used in discussing access control [emca].
301
302 Access control - The prevention of use of a resource by unidentified
303 and/or unauthorized entities in any other that an authorized manner.
304
305 Access control list - A set of control attributes. It is a list,
306 associated with a security object or a group of security objects.
307 The list contains the names of security subjects and the type of
308 access that may be granted.
309
310 Access control policy - A set of rules, part of a security policy, by
311 which human users, or their representatives, are authenticated and by
312 which access by these users to applications and other services and
313 security objects is granted or denied.
314
315 Access context - The context, in terms of such variables as location,
316 time of day, level of security of the underlying associations, etc.,
317 in which an access to a security object is made.
318
319 Authorization - The granting of access to a security object.
320
321 Authorization policy - A set of rules, part of an access control
322 policy, by which access by security subjects to security objects is
323 granted or denied. An authorization policy may be defined in terms
324 of access control lists, capabilities, or attributes assigned to
325 security subjects, security objects, or both.
326
327 Control attributes - Attributes, associated with a security object
328 that, when matched against the privilege attributes of a security
329 subject, are used to grant or deny access to the security object. An
330 access control list or list of rights or time of day range are
331 examples of control attributes.
332
333 Credentials - Data that serve to establish the claimed identity of a
334 security subject relative to a given security domain.
335
336
337
338 Stokes, et al. Informational [Page 6]
339 FF
340 RFC 2820 Access Control Requirements for LDAP May 2000
341
342
343 Privilege attributes - Attributes, associated with a security subject
344 that, when matched against control attributes of a security object,
345 are used to grant or deny access to that subject. Group and role
346 memberships are examples of privilege attributes.
347
348 Security attributes - A general term covering both privilege
349 attributes and control attributes. The use of security attributes is
350 defined by a security policy.
351
352 Security object - An entity in a passive role to which a security
353 policy applies.
354
355 Security policy - A general term covering both access control
356 policies and authorization policies.
357
358 Security subject - An entity in an active role to which a security
359 policy applies.
360
361 6. References
362
363 [ldap] Kille, S., Howes, T. and M. Wahl, "Lightweight Directory
364 Access Protocol (v3)", RFC 2251, August 1997.
365
366 [ecma] ECMA, "Security in Open Systems: A Security Framework"
367 ECMA TR/46, July 1988.
368
369 [bradner97] Bradner, S., "Key Words for use in RFCs to Indicate
370 Requirement Levels", BCP 14, RFC 2119, March 1997.
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394 Stokes, et al. Informational [Page 7]
395 FF
396 RFC 2820 Access Control Requirements for LDAP May 2000
397
398
399 7. Authors' Addresses
400
401 Bob Blakley
402 Dascom
403 5515 Balcones Drive
404 Austin, TX 78731
405 USA
406
407 Phone: +1 512 458 4037 ext 5012
408 Fax: +1 512 458 2377
409 EMail: blakley@dascom.com
410
411
412 Ellen Stokes
413 IBM
414 11400 Burnet Rd
415 Austin, TX 78758
416 USA
417
418 Phone: +1 512 838 3725
419 Fax: +1 512 838 0156
420 EMail: stokes@austin.ibm.com
421
422
423 Debbie Byrne
424 IBM
425 11400 Burnet Rd
426 Austin, TX 78758
427 USA
428
429 Phone: +1 512 838 1930
430 Fax: +1 512 838 8597
431 EMail: djbyrne@us.ibm.com
432
433
434 Prasanta Behera
435 Netscape
436 501 Ellis Street
437 Mountain View, CA 94043
438 USA
439
440 Phone: +1 650 937 4948
441 Fax: +1 650 528-4164
442 EMail: prasanta@netscape.com
443
444
445
446
447
448
449
450 Stokes, et al. Informational [Page 8]
451 FF
452 RFC 2820 Access Control Requirements for LDAP May 2000
453
454
455 8. Full Copyright Statement
456
457 Copyright (C) The Internet Society (2000). All Rights Reserved.
458
459 This document and translations of it may be copied and furnished to
460 others, and derivative works that comment on or otherwise explain it
461 or assist in its implementation may be prepared, copied, published
462 and distributed, in whole or in part, without restriction of any
463 kind, provided that the above copyright notice and this paragraph are
464 included on all such copies and derivative works. However, this
465 document itself may not be modified in any way, such as by removing
466 the copyright notice or references to the Internet Society or other
467 Internet organizations, except as needed for the purpose of
468 developing Internet standards in which case the procedures for
469 copyrights defined in the Internet Standards process must be
470 followed, or as required to translate it into languages other than
471 English.
472
473 The limited permissions granted above are perpetual and will not be
474 revoked by the Internet Society or its successors or assigns.
475
476 This document and the information contained herein is provided on an
477 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
478 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
479 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
480 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
481 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
482
483 Acknowledgement
484
485 Funding for the RFC Editor function is currently provided by the
486 Internet Society.
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506 Stokes, et al. Informational [Page 9]
507 FF
508