Effective access control is hardly a simple matter of specifying and enforcing permissions that apply to pairs of subjects and objects. Consideration must also be given to the programs that mediate access; authentication of users, programs, and objects; rules for administration and delegation of authority; and external constraints. Most important of all, however, is providing administrators with all of the tools they need to specify the rules that can lead to effective access control that meets all of an organization’s objectives.

No one has ever discussed all of these considerations as cogently, completely, and helpfully as the authors of this paper, which describes access control software (implemented only on the Lava operating system) for a distributed application that poses formidable security challenges--the Upper Atmospheric Research Collaboratory system. Data and executables are downloaded to widely distributed systems, where they are used by personnel with diverse needs and authorities. Care must be taken to assure not only that collaborators can gain all the access they need and no more, but also that programs are confined so that they cannot impair the integrity or confidentiality of resources at the remote systems.

The authors’ lucid and detailed description of their methodology, and the extensive and very useful list of references they include, are widely applicable. Their discussions of devices for generalizing over sets, specifying exceptions to generalities, and controlling delegation are particularly useful and insightful. All in all, their exposition is a valuable contribution to the literature that any designer of access control software would do well to read.