|
|
|
|
Separation of mechanism and policy
|
| |
|
| |
The separation of mechanism and policy is a design principle in computer science. It states that mechanisms (those parts of a system implementation that control the authorization of operations and the allocation of resources) should not dictate (or overly restrict) the policies according to which decisions are made about which operations to authorize, and which resources to allocate.
This is most commonly discussed in the context of security mechanisms (authentication and authorization), but is actually applicable to a much wider range of resource allocation
problems (e.g.
Discussion
Ask a question about 'Separation of mechanism and policy' Start a new discussion about 'Separation of mechanism and policy' Answer questions from other users |
Encyclopedia
The separation of mechanism and policy is a design principle in computer science. It states that mechanisms (those parts of a system implementation that control the authorization of operations and the allocation of resources) should not dictate (or overly restrict) the policies according to which decisions are made about which operations to authorize, and which resources to allocate.
This is most commonly discussed in the context of security mechanisms (authentication and authorization), but is actually applicable to a much wider range of resource allocation
problems (e.g. CPU scheduling, memory allocation, Quality of Service), and the general
question of good object abstraction.
Per Brinch Hansen presented arguments in favor of separation of mechanism and policy.
Artsy, in a 1987 paper, discussed an approach for an operating system design having an "extreme separation of mechanism and policy".
In a 2000 article, Chervenak et al described the principles of mechanism neutrality and policy neutrality.
Rationale and Implications
The separation of mechanism and policy is the fundamental approach of a microkernel that distinguishes it from a monolithic one. In a microkernel the majority of operating system services are provided by user-level server processes. It is considered important for an operating system to have the flexibility of providing adequate mechanisms to support the broadest possible spectrum of real-world security policies.
It is almost impossible to envision all of the different ways in which a system might be used
by different types of users over the life of the product. This means that any hard-coded
policies are likely to be inadequate or inappropriate for some (or perhaps even most) users.
Decoupling the mechanism implementations from the policy specifications makes it
possible for different applications to use the same mechanism implementations
with different policies. This means that those mechanisms are likely to better
meet the needs of a wider range of users, for a longer period of time.
If it is possible to enable new policies without changing the implementing mechanisms,
the costs and risks of such policy changes can be greatly reduced. This could be accomplished merely
by segregating mechanisms and their policies into distinct modules, but in cases where a wide or variable range of policies are anticipated, it makes sense to create some non-code means for specifying policies. For instance, policies (e.g. UNIX user/group/other read/write/execute file protections) might be parametrized. Alternatively the implementing mechanisms could be designed to include an interpreter for a new policy specification language. These are usually accompanied by a deferred binding mechanism (e.g. configuration files, or APIs) that permits policy specifications to be added to the system after it has been delivered to the customer.
An example of mechanism/policy separation is the use of card-keys to gain access to locked doors. The mechanisms (magnetic card readers, remote controlled locks, connections to a security server) do not impose any limitations on entrance policy (which people should be allowed to enter which doors, at which times). These decisions are made by a centralized security server, which (in turn) probably makes its decisions by consulting a database of room access rules. Specific authorization decisions can be changed by updating a room access database. If the rule schema of that database proved too limiting, the entire security server could be replaced while leaving the fundamental mechanisms (readers, locks, and connections) unchanged.
See also
External links
- [ftp://ftp.cs.uky.edu/cs/manuscripts/vade.mecum.2.pdf]
-
|
| |
|
|
