6.3 The Basic Model

Expressing social rights in access control terms allows access control rules based on social rules developed over thousands of years in physical society, and so must be compatible with current declarations of human rights. A right in information terms is an actor (A) applying an operation (O) to an entity (E):

Right = (Actor, Entity, Operation) = (A, E, O)

Social rights are (Actor, Entity, Operation) triplets, where an actor is a data entity that represents an accountable person or group, an entity is any meaningful information record, and an operation is any software method that applies to that entity. An information right can then be stored as a permission. Since an actor is also an entity, an actor can act upon itself, as when a person deletes their membership of say Facebook. This equates to the fact that in the physical world, a person can commit suicide, i.e. “delete” themselves.

Online social interactions involve entities and operations as follows:

1)   Entities. An entity is any meaningful information record.

   a)   Actor Persona. A data entity representing an offline person or group, e.g. a company registered on Facebook.

b)   Object. A data entity that conveys information and meaning.

   i.   Item. A simple object with no dependents, e.g. a bulletin board post.

   ii.  Space. A complex object with dependents, e.g. a bulletin board thread.

c)   Right. A system permission for an actor to operate on an entity.

   i.   Simple right. A right to operate on object or actor entities.

   ii.  Meta-right. A right to operate on a right, e.g. the right to delegate a right.

   iii. Role. A right given to a set of actors, e.g. a friend set.

2)   Operations. Program methods that operate upon entities.

   a)   Null operations do not change the target entity, e.g. view, enter a space.

b)   Use operations change the entity meaning in some way, e.g. edit, delete.

c)   Communication operations transfer data from sender(s) to receiver(s), e.g. email.

d)   Social operations change a right, e.g. delegate.

The following access control rules apply to actors operating on information entities. Some conclusions may seem obvious, but recall that to software nothing is obvious and everything must be specified. The goal is to outline an access control framework that allows software designers to implement socially valid rules.