When a process attempts to open a file for writing, the operating system must answer a fundamental question: Is this operation permitted? The answer depends on whether the appropriate access right exists in the access matrix cell connecting that process (subject) to that file (object).

Access rights are the vocabulary of access control—they name the specific operations that can be allowed or denied. But the space of possible rights is vast. A simple file might have read, write, and execute rights. A database table might have SELECT, INSERT, UPDATE, DELETE, ALTER, DROP, GRANT, and more. A cloud resource might have dozens of fine-grained actions. How do we organize this complexity? What makes a right meaningful? And what are the special "meta-rights" that control the access matrix itself?

At the most basic level, access rights map to fundamental operations that subjects can perform on objects. These operations fall into several categories:

Information Flow Rights:

• Read (r): Observe the contents of an object; information flows from object to subject
• Write (w): Modify the contents of an object; information flows from subject to object
• Append (a): Add to the end of an object without reading or modifying existing content
• Execute (x): Use the object as a program; triggers computation based on object contents

Existence Rights:

• Create: Bring a new object into existence
• Delete: Remove an object from existence
• Destroy: Irrecoverably eliminate an object (including backups, caches)

Structural Rights:

• List/Search: Enumerate contents (for directories/containers)
• Traverse: Pass through (for directories) to access children
• Link: Create additional names for an object
• Unlink: Remove a name for an object

Why These Specific Rights?

This categorization isn't arbitrary—it reflects fundamental operations at the hardware level:

• Read corresponds to memory load operations
• Write corresponds to memory store operations
• Execute corresponds to instruction fetch from memory

The Unix permission model (rwx) directly reflects these hardware primitives. Higher-level rights in more complex systems are ultimately compositions of these fundamental operations.

Rights as Predicates:

Formally, a right r can be viewed as a predicate over operations:

$$r(op) = true \iff operation\ op\ is\ permitted\ by\ right\ r$$

When a subject requests to perform operation op on object o, the system checks:

$$\exists r \in A[s, o]: r(op) = true$$

If such a right exists, the operation is permitted.

While basic read/write/execute rights apply broadly, many object types have specialized rights that map to their unique operations:

File System Objects:

Process Objects:

When processes are objects in the access matrix:

• Signal: Send specified signal (SIGTERM, SIGKILL, SIGUSR1, etc.)
• Trace/Debug: Attach debugger, read/write registers and memory
• Priority: Modify scheduling priority (nice, renice)
• Resource: Modify resource limits (ulimit)
• Namespace: Enter or modify process namespaces
• Wait: Wait for process termination, collect exit status

Rights Granularity Trade-offs:

System designers must choose the granularity of rights:

Coarse-grained rights:

• Simpler to understand and manage
• Fewer access matrix cells
• May grant more access than needed (violates least privilege)
• Example: Unix rwx (only 3 rights per object type)

Fine-grained rights:

• Precise control over each operation
• Larger access matrix
• Complex permission management
• Example: Windows 17+ file rights, AWS 100+ S3 actions

Modern systems often provide both: fine-grained rights for detailed control, plus macro-rights (Full Control, Admin) that expand to common combinations.

Beyond rights that control data operations, meta-rights control the access matrix itself. These rights determine who can grant, modify, or revoke other rights.

The Owner Right:

The owner right is the most powerful meta-right. An owner typically can:

• Grant any right on the owned object to any subject
• Revoke any right on the owned object from any subject
• Transfer ownership to another subject
• Delete the object entirely

In the access matrix, owning an object o means having omnipotent authority over column o:

$$owner \in A[s, o] \implies \forall r \in R, \forall s' \in S: s\ can\ enter/delete\ r\ in\ A[s', o]$$

The Copy Right (Grant Option):

Sometimes a subject should be able to grant rights they possess, but only those specific rights. The copy flag (often denoted with an asterisk, e.g., read*) indicates this:

• If A[Alice, file] = {read*, write}, Alice can grant read to others but cannot grant write
• In SQL: GRANT SELECT ON table TO user WITH GRANT OPTION
• The copy right propagates: if Alice grants read* to Bob, Bob can also grant read* to Carol

The Control Right:

Some systems have a control right over subjects. If A[Admin, Process_P] contains 'control', Admin can modify Process_P's row in the access matrix—changing what P can access.

Right Propagation and Revocation:

Meta-rights create chains of granted rights. Consider:

1. Alice (owner) grants read* to Bob
2. Bob grants read* to Carol
3. Carol grants read to Dave

Now Alice revokes Bob's read. What happens?

Cascading revocation: Carol and Dave also lose read (their rights depended on Bob's)

Non-cascading revocation: Carol and Dave keep read (once granted, rights persist)

Different systems choose differently:

• Unix: Implicit permissions don't cascade (no formal grant chains)
• SQL: REVOKE ... CASCADE removes dependent grants
• Capability systems: Revocation is often difficult or impossible

Negative Rights (Deny):

Some systems support explicit deny entries in the access matrix:

$$A[s, o] = {read, \neg write}$$

Deny typically has higher precedence than allow. If conflicting entries exist (via groups), deny wins. This allows expressing "everyone except Bob can write" without enumerating all non-Bob users.

Unix pioneered the famous rwx permission model. Despite its simplicity, this model has nuances that even experienced users misunderstand:

Basic Permission Bits:

-rwxr-x--- 1 alice developers 4096 Jan 15 10:00 program.sh

Special Permission Bits:

• setuid (4000): When executed, process runs as file owner, not executor
• setgid (2000): When executed, process runs with file's group; on directories, new files inherit group
• sticky (1000): On directories, only owner can delete their files

-rwsr-xr-x   setuid set (s instead of x)
-rwxr-sr-x   setgid set
drwxrwxrwt   sticky bit set (t in others' x)

Linux Capabilities:

Traditional Unix has only one superuser (root/UID 0). Linux capabilities divide root's power into ~40 distinct rights:

Capabilities can be assigned to files (like setuid) or to processes. A process with CAP_NET_BIND_SERVICE but not CAP_SYS_ADMIN can bind to port 80 but cannot mount filesystems.

Access Control Lists (ACLs):

Linux ACLs extend the classic model to allow per-user and per-group entries beyond owner/group/other:

$ getfacl file.txt
# file: file.txt
# owner: alice
# group: users
user::rw-
user:bob:r--
group::r--
group:devs:rw-
mask::rw-
other::---

Windows implements a far more granular and complex rights model than Unix. Every securable object has a Security Descriptor containing:

Security Descriptor Components:

1. Owner SID: Who owns the object
2. Group SID: Primary group (largely unused in Windows)
3. DACL: Discretionary ACL—controls who can access the object
4. SACL: System ACL—controls auditing (who is logged when accessing)

ACCESS_MASK Structure:

Windows rights are encoded in a 32-bit ACCESS_MASK:

Bit 31-28: Generic rights (GENERIC_READ, GENERIC_WRITE, etc.)
Bit 27-25: Reserved
Bit 24:    Access system security (SACL access)
Bit 23-20: Standard rights (DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE)
Bit 19-16: Object-specific rights (depends on object type)
Bit 15-0:  Object-specific rights (continued)

For files, the object-specific bits include:

• FILE_READ_DATA (0x0001)
• FILE_WRITE_DATA (0x0002)
• FILE_APPEND_DATA (0x0004)
• FILE_READ_EA (0x0008)
• FILE_WRITE_EA (0x0010)
• FILE_EXECUTE (0x0020)
• FILE_DELETE_CHILD (0x0040)
• FILE_READ_ATTRIBUTES (0x0080)
• FILE_WRITE_ATTRIBUTES (0x0100)

Inheritance in Windows:

Windows ACL inheritance is sophisticated. When creating a new file:

1. Inheritable ACEs from parent directory are automatically added
2. OBJECT_INHERIT_ACE → applies to new files
3. CONTAINER_INHERIT_ACE → applies to new directories
4. Both flags → applies to both
5. INHERIT_ONLY → doesn't apply to the directory itself, only children

This creates "inherited" ACEs (marked with INHERITED_ACE flag) that update when the parent changes, enabling centralized permission management.

Privileges vs. Rights:

Windows distinguishes:

• Access Rights: What you can do to objects (stored in DACLs)
• Privileges: What system-wide operations you can perform (in access tokens)

Privileges include: SeBackupPrivilege (bypass checks for backup), SeDebugPrivilege (debug any process), SeShutdownPrivilege (shutdown system). These are similar to Linux capabilities.

Real systems often have rights that imply other rights, or composite rights that bundle multiple primitives:

Right Implication:

If having right r₁ automatically grants right r₂, we say r₁ implies r₂:

$$r_1 \implies r_2 \equiv \forall s, o: r_1 \in A[s, o] \implies r_2 \in EffectiveRights(s, o)$$

Examples:

• Owner implies all other rights on the owned object
• Full Control implies Read, Write, Delete, etc.
• Write often implies Append (writing includes appending)
• Read may imply Execute in some contexts (readable code is runnable)

Composite Rights:

Composite rights are named bundles:

The Expansion Problem:

Composite rights create complexity in authorization:

1. Granting: When granting GENERIC_ALL, what's actually stored?

   • Store the composite name? (Compact, but requires expansion at runtime)
   • Store all primitives? (Large, but simple checking)

2. Checking: When checking FILE_READ_DATA, must we check for GENERIC_READ and GENERIC_ALL too?

   • Yes, if composites aren't expanded at grant time

3. Revoking: When revoking GENERIC_ALL, what happens to the primitives?

   • If stored as composite: primitives remain effective until composite removed
   • If stored expanded: each primitive must be individually removed

Conflict Resolution:

When rights conflict (e.g., explicit deny vs. inherited allow), systems use precedence rules:

1. Explicit deny > Explicit allow (Windows)
2. User-specific > Group-specific (most systems)
3. Lower (more specific) > Higher (more general) in hierarchy
4. First match (order-dependent evaluation)

A right is only meaningful if it's enforced. The system must check rights at the appropriate place and time, and the check must be unforgeable.

Enforcement Points:

Rights are typically checked at:

1. System call interface: When a subject requests an operation
2. Object manager: When translating names to objects
3. Hardware level: MMU checks for memory access, CPU for execution

The Reference Monitor Concept:

All access checks should flow through a reference monitor—a component that:

• Mediates all access to objects
• Is tamper-proof (cannot be bypassed)
• Is small enough to be verifiable
• Is always invoked (complete mediation)

In Unix, the kernel is the reference monitor for file access. Each open(), read(), write(), execve() passes through kernel permission checks. The checks are hardcoded in the kernel, which is trusted.

Check Timing:

When should rights be checked?

• At open time: Unix checks at open(), not at read()/write(). Once a file descriptor is obtained, subsequent operations don't re-check.
• At every operation: Some systems check each operation individually.
• With cached credentials: Token-based systems may cache authorization decisions.

Each approach has trade-offs between performance, security, and responsiveness to permission changes.

We've explored access rights in depth—the specific permissions that populate access matrix cells. Let's consolidate the key concepts:

What's Next:

Now that we understand what rights are and how they're structured, we'll examine how the access matrix is actually implemented in real systems. The next page explores the two fundamental implementation strategies: Access Control Lists (grouping by column) and Capability Lists (grouping by row).