Power and Permission in Security Systems

It is a standard feature of all organisations that designated agents, usually when acting in specific roles, are empowered by the organisation to create specified kinds of states of affairs — as when, for instance, a priest declares a couple as married and thereby makes it so in the eye of the church, or when a head of department assigns one of his subordinates to a particular project, or when an owner transfers ownership, as opposed to mere physical possession, of an item to another entity. This feature of organisations is referred to variously as ‘(legal) power’, ‘(legal) competence‘, or ‘(legal) capacity’. Jones and Sergot [JS96] use the term institutionalised power to emphasise that this is not a feature of legal systems alone but commonplace in all organisations. The neutral term ‘institution’ is used by them, and other authors, for any kind of formal or informal organisation. The states of affairs created when a designated agent exercises an institutionalised power have conventional significance or meaning inside the institution, though not necessarily outside it. For example, ownership of an object, in contrast to its physical possession, is not something that can be observed, and it is possible that one institution recognises an instance of ownership whereas another institution does not. Searl [Sea69] distinguishes between what he called institutional fact and brute fact. An instance of ownership is an institutional fact; possession is a brute fact. Policies are institutional facts. For example, the security policies of a system hold within that particular system and perhaps not in any other. As pointed out in [JS96], words such as authorisation, right and privilege have a wide variety of meanings in ordinary usage. They are frequently used in computer system applications and in computer security, but still not in any standard way. Sometimes by a word such as ‘right’ we mean a permission, sometimes an institutional power, sometimes a combination of the two, and sometimes something else. In legal theory, the importance of the following distinction has long been recognised. There are three quite different notions: