The dual of capability lists is access lists, which divide the access matrix by columns. An access list is associated with each object, and lists all users and their privileges over the object. Thus the access list for our example is: fred/prog.c --> fred(RW) --> jane(R) fred/letter --> fred(RW) /usr/ucb/vi --> fred(X) --> jane(X)
This arrangement also has some disadvantages. The set of all possible users is likely to be very large, and many processes will have identical access rights over an object. Therefore it is useful to group users into classes. All members of the same class can be given the same privileges for the object. Unix follows this approach. It partitions users into three classes:
The owner of the file
Users in the same group as the owner
Other users
Thus " fred/prog.c" can be given the access rights: self RW group R others no access
Multics and AFS allow the access list to contain individual user names as well as
larger grouping.
Thus if Fred wants Jane to be able to read and write
" fred/prog.c" he can define the access list as follows:
self RW
group R
others no access
Jane R