Private objects shared with a user or group may be associated with an Access Control List (ACL). The ACL includes a list of users and groups granted access to the object. In some cases, an object (e.g., a document, collaboration session, process) may require access to another object (e.g., embedded objects, resources), and/or authorization to share the access to that object with other entities (e.g., other objects, users or groups). Access control based purely on user identity is insufficient for modeling complex graphs of objects with varying owners, where the object needs access to other objects and/or to delegate such access rights to other entities (e.g., objects, users, groups).
Capability-based security provides a good solution to these problems. In capability-based security the authority to access an object is itself represented as a piece of data (e.g., a capability token) that may be passed around. However, traditional capability-based security is extremely different from an ACL-based infrastructure, making it hard to transition existing applications from one model to the other. Furthermore, delegation under the capability-based security model involves wrapping the object in layers of proxy objects (each layer representing a level of hierarchy). The proliferation of the proxy objects may add significant latency when making access granting decisions. Additionally, due to the lack of the notion of user identities, search engines that search private data would need to infer ACLs for each object through analysis of the object graph, leading to high chances of costly errors.
Thus it may be desirable to provide a security model that facilitates granting controlled access to objects and facilitating delegation of such access rights while providing for efficient access control.