Consider the final version of the access matrix we defined. It described for each user and object in the system a set of object-independent access rights. All processes started by a user inherited the access rights of the user.
There are several problems with this version of the access matrix:
All processes started by a process have all the access rights of the user. This is undesirable since a process, typically, needs access to a small set of objects to do its job. For instance a process executing a calendar program needs to access, among the different files in the system, only the `calendar file' that defines a set of appointments, a process executing the compiler needs to access the input source files, the object files, and a few temporary files, and a process that prints the contents of a file needs access only to that file.
The access rights of a process are fixed while it is executing. This again is undesirable,
typically, changes dynamically. For instance, a compiler after reading a source file, no longer needs access to that file.
A process cannot amplify its access rights to include those that are not available to the user on whose behalf it is executing. Such amplification is necessary to do certain kinds of tasks. For instance a mail program invoked in Unix needs to be able to create a mail file in the directory /usr/spool/mail, which is writable only by root.
The access rights are object-independent and thus not of a fine
enough granularity.
For instance Unix supports the access rights: read, write, and execute.
Often it is important to distinguish between different kinds of
reads.
As an example consider a bibliography created by some user who has also
put,
for each item,
an annotation describing his view of the referenced paper.
He may want to allow his colleagues to read the reference items,
but not the annotations. (Some of bibliography items may reference papers
written by his colleagues!)
Unix,
however,
does not distinguish between these two kinds of object-defined
`reads'.
Thus the author
of the database has to either give no read access to the file or
full read access.