06/25/76 Access Isolation Mechanism (AIM) A new access control mechanism known as the Access Isolation mechanism has been added to Multics. This mechanism provides system-wide administrative control over the access of processes to segments and directories, and over the propagation of access. This document briefly describes the purpose and general concepts of this mechanism. The current Multics access controls provide (1) rings to protect the operating system from the actions of users, and (2) access control lists to allow users, at their discretion, to grant or deny other users access to segments and directories. The access isolation mechanism satisfies a need for system-wide administrative control over the access of processes to segments and directories. Under the access isolation mechanism, each object in the system (segments, directories, messages in message segments) has an access class. Each process has an access authorization, determined at login time from login options, and from maximum authorizations assigned to each person (e.g., Jones), project (e.g., SUNSPOTS), user ID (e.g., Jones.SUNSPOTS), and terminal channel. A process may read (or execute or search) an object if the process' authorization is greater than or equal to the object's access class. A process may write (or modify or append to) an object only if the process' authorization is equal to the object's access class. Future help files will detail the rules for determining effective access when using the access isolation mechanism. Access control lists and ring brackets will continue to operate as before. The major visible change is that a process' effective access to an object will be the maximum access given by the ACL, ring brackets, and access class of the object, taken all together. Within the set of objects and processes having identical access classes and authorizations, ACL's still provide access control at the individual user's discretion. Defaults have been designed so that the access isolation mechanism will be invisible to users and projects not wishing to use it. ----------------------------------------------------------- Historical Background This edition of the Multics software materials and documentation is provided and donated to Massachusetts Institute of Technology by Group BULL including BULL HN Information Systems Inc. as a contribution to computer science knowledge. This donation is made also to give evidence of the common contributions of Massachusetts Institute of Technology, Bell Laboratories, General Electric, Honeywell Information Systems Inc., Honeywell BULL Inc., Groupe BULL and BULL HN Information Systems Inc. to the development of this operating system. Multics development was initiated by Massachusetts Institute of Technology Project MAC (1963-1970), renamed the MIT Laboratory for Computer Science and Artificial Intelligence in the mid 1970s, under the leadership of Professor Fernando Jose Corbato. Users consider that Multics provided the best software architecture for managing computer hardware properly and for executing programs. Many subsequent operating systems incorporated Multics principles. Multics was distributed in 1975 to 2000 by Group Bull in Europe , and in the U.S. by Bull HN Information Systems Inc., as successor in interest by change in name only to Honeywell Bull Inc. and Honeywell Information Systems Inc. . ----------------------------------------------------------- Permission to use, copy, modify, and distribute these programs and their documentation for any purpose and without fee is hereby granted,provided that the below copyright notice and historical background appear in all copies and that both the copyright notice and historical background and this permission notice appear in supporting documentation, and that the names of MIT, HIS, BULL or BULL HN not be used in advertising or publicity pertaining to distribution of the programs without specific prior written permission. Copyright 1972 by Massachusetts Institute of Technology and Honeywell Information Systems Inc. Copyright 2006 by BULL HN Information Systems Inc. Copyright 2006 by Bull SAS All Rights Reserved