This article needs additional citations for verification. (October 2016) |
An access control expression with respect to a computer file system is a list of Boolean expressions attached to a file object. An access control expression specifies a Boolean formula that defines which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical access control expression specifies an operation and an expression and an operation. For instance, if a file object has an access control expression that contains (read=(g:system OR u:Alice), write=(g:system AND !u:Bob)))
, this would give any member of the system group or the user named Alice permission to read the file but would allow only members of the system group to write the file, except for the user named Bob.
Conventional access control lists can be viewed as a subset of access control expressions in which the only combining operation allowed is OR.