DCAC is a practical OS-level access control system that supports application-defined principals. It allows normal users to perform administrative operations within their privilege, enabling isolation and privilege separation for applications. It does not require centralized policy specification or management, giving applications freedom to manage their principals while the policies are still enforced by the OS. DCAC uses hierarchically-named attributes as a generic framework for user-defined policies such as groups defined by normal users.
DCAC also supports NFSv3.
For more information, please see the USENIX ATC 2014 paper:
Application-Defined Decentralized Access Control
Yuanzhong Xu (yxu@cs.utexas.edu) Alan M. Dunn (adunn@cs.utexas.edu) Owen S. Hofmann (osh@cs.utexas.edu) Michael Z. Lee (mzlee@cs.utexas.edu) Syed Akbar Mehdi (samehdi@cs.utexas.edu) Emmett Witchel (witchel@cs.utexas.edu)