Building a trusted computing base Home ToC Prev Up Next 

What Capabilities are NOT

Typically ACLs and Capabilities are seen as compatible and perhaps equivalent methods to secure access.

The picture is of an access matrix once split into different columns and once split into different rows. But this is NOT the real difference. We talk about capabilities when we let subsets of a users rights FLOW toward resources. This means that NOT all the rights a user potentially has are used in an access control decision. Only the right the user DECIDED to flow in an access attempt are available to the code that protects the resource and implements a function.