In a data processing system in which multiple different users access and execute operations, security and other access control measures may be necessary to prevent one or more users from accessing certain resources and/or executing certain operations. For example, an owner or creator of a file may wish to prevent other users from modifying the owner's file. Access controls are used to control which users have access to a file and what types of operations these users can perform on the file.
Conventionally, there are various types of access control mechanisms available such as discretionary access control (DAC) and role-based access control (RBAC). Discretionary access control permission is defined in accordance with the identity of the user or invoker of a command. A user or invoker may have an identity such as owner, member of a group, or other. Role based access control defines access to command execution based on what authorizations the user has been assigned rather than basing access on the user's identity. In role based access control, a role consists of a set of authorizations. A role is assigned to one or more users. Multiple roles may be assigned to a single user. Such access control mechanisms typically do not work well in a resource centric operating environment.