Operations are actor–initiated methods on data entities subject to access control. When an actor requests an operation on a data entity, access control either permits it by passing it to a program or denies it with a message explaining why. In this context, requests can be clustered into basic operation classes as follows:
Create. A create generates a new entity based on data given, e.g. to create a Wikipedia stub for others to edit. Duplicate uses information from an existing entity to create a new copy. Download transfers a copy to another space, while Print transfers a copy to the printer. All are classed as a “Create” for these purposes.
Edit. A simple edit alters the information in an entity. Append adds to the data but does not alter any existing data. Edit Version saves the changes as a new entity and keeps a previous version. Revert is the inverse that replaces the current copy with a previous version, as Wikipedia does. While create adds a new entity, edit changes an existing entity.
Delete. A simple Delete flags an entity for destruction at some later time. Undelete reverses that operation. Destroy is the operation that removes the entity permanently. De-activate invalidates a persona entity by denying the logon operation that activates it, but does not delete or destroy it as a data entity.
View. A simple View lets a person look at the information in an entity. Variations include being able to see some but not all of the content associated with it, e.g. viewing a post on a game need not show a “Spoiler”. Since view is a null act that does not change a target’s information it is irrelevant on the information level, but on the social level it is highly relevant, e.g. in some cultures staring at people is an act of aggression, and it is well known that being looked at energizes the viewed party (Geen and Gange, 1983), an effect called social facilitation. In social media, that others are viewing a tweet or post is important so view is not “nothing” at this level, And that an online video has gone viral makes others want to view it too. The effect of viewing illustrates how social requirements “flow down” to software design (see Figure 1.9)
Move. Changes the parent of an object in an hierarchy.
Logon. Lets a person activate a persona.
Include. Adds a persona to a group permission set.
Exclude. Removes a persona from a group permission set.
Enter. Grants access to view the objects in a space.
Ban. Denies access to view the objects in a space.
Allocate. Grants a right to another actor, e.g. to “friend” a person on Facebook.
Delegate. Temporarily grants a right to another.
Transfer. Permanently grants a right to another.
More details follow, but Table 6.2 below shows how the basic operation classes apply to different entity types. Each class has many variants, but this does not affect the key access control issues.
Communication. In a simple communication a sender creates a message that a receiver views. It is by definition a joint act where both parties have choice, so communication should be by mutual consent. The right to remain silent is the choice not to send messages while asking “Can I talk to you?” is getting permission to communicate. The resulting access control rule is:
Rule 5: Every communication act requires prior mutual consent.
The evolution of telephony reflects how this social requirement affected technical design. At first phones just transmitted information so the phone rang and one answered not knowing who was calling. This allowed telemarketing, the forerunner of spam. Cell phones then showed caller id by default so one could choose to respond, i.e. it was more mutual. Social networks then added the synergy that each person could type in their own name and share it with others to add to their contact list, while people using cell phones still had to personally type in contact list names. Just as the engineers who designed TV remotes were locked into the physical level, cell-phone companies were locked into an information level mind-set. Now, as people show a name instead of a number when they call, technology is adjusting to social realities. Giving people the right not to accept messages from anonymous senders is a defense against spam.
Table 6.2: Operation sets by entity type
Entity Type |
Operations |
1. Actor Entities |
|
a. Persona |
View, Delete, Edit, Logon, Deactivate |
b. Role |
View, Delete, Edit, Include, Exclude |
c. Group |
View, Delete, Edit, Join, Leave |
2. Object Entities |
|
a. Item |
View, Delete, Edit, Move |
b. Space |
View, Delete, Edit, Move, Enter, Ban, Create (within) |
3. Right |
View, Edit, Allocate, Delegate, Transfer |