A disclosure, or confidentiality, policy, in the context of DIB access control, essentially addresses control of information revealed to the requestor of a Directory operation. The Directory supports four types of query operation: READ, COMPARE, LIST, and SEARCH. There are also four types of modify operation: ADD-ENTRY, REMOVE-ENTRY, MODIFY-ENTRY, and MODIFY-DISTINGUISHED-NAME. This section briefly reviews the operations and discusses how confidentiality policy applies to each. This section also provides some specific examples of confidentiality policy fragments that can be supported.
The READ operation is used to extract the contents of a single entry whose name is specified in the request. It may also be used to verify the existence of a particular entry without returning any of the entry's content.
The COMPARE operation is used to compare an attribute value supplied in the request with the value(s) present in an entry whose name is also supplied in the request.
The LIST operation is used to obtain the names of the immediate subordinates of an entry whose name is specified in the request. The term ``immediate subordinates'' refers to the Directory Information Tree (DIT) view of the Directory. The immediate subordinates of a parent entry are all subordinate entries of that parent that are exactly one level below the parent in the DIT. It is important to note that LIST is designed to return entry names that were, presumably, unknown to the requestor prior to the operation.
The SEARCH operation is also designed to return entry names that are unknown to the user. SEARCH, however, can be used to find the names of all subordinates of a particular parent entry. SEARCH can also be used to extract the contents of the subordinates on a selective basis.
ADD-ENTRY is used to add a new leaf entry to the DIT; the operation request specifies the name of the entry to be added together with the attribute types and values that the new entry contains.
REMOVE-ENTRY is used to remove an entire leaf entry from the DIT.
MODIFY-ENTRY is used to perform a series of one or more modifications to a single entry. The kinds of modifications that may be requested include adding/removing an attribute, adding/removing an attribute value, replacing an attribute value, and modifying an alias.
MODIFY-DISTINGUISHED-NAME is used to modify the Relative Distinguished Name (RDN) or any component of the Distinguished Name of an entry. It also (indirectly) has the effect of changing the Distinguished Name of any entry that is subordinate to the entry being renamed. It may also have the effect of moving an entry (and all its subordinates) to another area of the DIT. This operation is another new feature of the new Directory; it replaces the less powerful MODIFY-RELATIVE-DISTINGUISHED-NAME operation in the 1988 Directory standard.
Directory operations, in general, may either succeed or result in one of several possible error conditions. When an operation succeeds, an ``operation result'' is returned to the requestor that contains a standardized collection of information. In some cases, operation results convey no information other than success of the operation. When an operation fails, an ``error result'' is returned to the requestor, indicating what error occurred. An error result may also convey some relevant diagnostic information (perhaps including DIB information).
Controlling disclosure of DIB information during query operations involves controlling several categories of information conveyed in operation results or operation errors. Specifically, the standardized access control mechanisms address the following categories of information:
For each type of operation, the standardized access control mechanisms can control confidentiality for each applicable category of information independently of controls for other operation types. For a given operation type, the mechanisms can control information revealed in the operation result independently of controls on the same information when revealed in an error result.
Also, the categories distinguish between information held in an entry and the Distinguished Name of the entry; the Distinguished Name of an entry is not considered to be contained in the entry. Therefore, the contents of a particular entry and the name of that entry may be controlled independently for a given operation. These controls for different operation types are also independent of each other.
Similarly, the use of entry contents in the selection phase of a SEARCH operation can be controlled independently of controls on disclosure of the same information in SEARCH, READ and COMPARE operation results. During the selection phase of a SEARCH, the Directory checks each entry in the scope of the search to determine if it meets selection criteria specified in the request. If the entry satisfies the criteria, it is included in the SEARCH result, otherwise, it is ignored. For each selection criterion, the Directory checks confidentiality policy to determine if the requestor is allowed access to entry contents needed to evaluate the criterion; if access is denied, the criterion fails. This feature, for example, can be used to preclude inversion of a phone directory that is held in the DIB. The security manager may want to allow users to access phone numbers via the READ operation or the SEARCH operation while also denying the ability to perform a SEARCH operation where the selection criteria are based on a phone number. A SEARCH operation using selection on a phone number could be used to find the name associated with a given phone number. The standardized access control mechanisms allow the manager to specify that the phone number is accessible via READ or SEARCH but SEARCH cannot be used to find the (unknown) name associated with a known number.
The modify operations also potentially result in disclosure. Controlling disclosure of DIB information during a modify operation involves controlling only error results, since the operation results convey no information other than success of the operation. In general, the security manager may choose between error results in situations where modification policy denies a requested modification or where the modification is trying to add something that already exists. The options for each modify operation are summarized below. As for query operations, any error result which reveals a Distinguished Name is subject to confidentiality policy on that name.
If an ADD-ENTRY operation attempts to add an already existing entry, the security manager may choose to reveal the existence of the target entry, or he may choose to return an error that is intended to conceal the existence of the target entry.
If a REMOVE-ENTRY operation attempts to remove an existing entry, the Directory checks applicable modification policy to see if the requestor is allowed to remove the entry. When such policy denies a requested removal, the security manager may choose between returning an error result that is intended to avoid disclosure of the existence of the entry or an error result that does not protect disclosure of the existence of the entry.
Similarly, for each removal in a MODIFY-ENTRY operation, the Directory first checks applicable modification policy to see if the requestor is allowed to remove that particular item. When modification policy denies a requested removal of an existing attribute or value, the security manager may again choose to return an error result that is intended to conceal the existence of the item for which removal was denied; or, alternatively, he may choose to return an error that does not conceal its existence. For modifications that add an attribute or value, the Directory first checks to see if the item to be added already exists. If it does, the security manager may choose to return an error result intended to conceal the existence of the item or he may choose to return an error result that specifically reveals its existence.
Depending on the effect of a MODIFY-DISTINGUISHED-NAME operation, one or more modification policy checks are made to ensure the requestor has permission to perform the operation. If not, the security manager again has the option of either returning an error result intended to conceal the existence of the target entry or an error result that is not intended to protect its existence.