The easiest way to begin an analysis of supported policy is to avoid the complications that arise when more than one security authority is considered. Suppose the entire DIB is managed by one organization which has a single security manager that is responsible for all facets of security policy. Furthermore, suppose the security manager has not delegated his authority in any way. In particular, there is no discretionary setting of access rights by anyone other than this manager. In this simplified authority environment, we can explore and characterize many of the access control rules that can be enforced using the standardized access control mechanisms. It should be noted that, in this simplified authority scenario, there is no essential difference between the two new Directory access control mechanisms; the major difference is only apparent when delegation of authority is considered. The difference is emphasized in a later section where scenarios involving multiple authorities are discussed.
A first characterization of supported security policy (in the simplified authority environment) views all access control in terms of three broad categories of policy:
Each of these categories is expanded into specific policy issues below.