What is an ACL owner?

Question

I have found three possibilities for what is calls an "ACL owner" in the wild:

• The owner is the protected resource. That's the way EAz goes.
• The ACL owner is the user whow owns and edits the ACL. (like in java.security.acl.Acl or POSIX ACL)
• The user owns the protected resource and the protected resource owns the ACL. So the user owns the ACL indirectly and is allowed to edit it.

Are there significant shortcomings of the one or other?

Addendum: In most implementations the owner of an ACL is the user who has the right to change the permissions of this ACL and owns the corresponding object.

Answer 1

There is no standard nomenclature for what you're asking about.

The article you cited says that by implication as it mentions a great many disparate implementations, each with their own view. It does, however, mention "classic ACLs" - a notion I find rather curious...

Classic ACLs don't have "ACL owners". Resources have owners, and resources have attributes, of which ACLs may be one kind. It's odd to think of an ACL separate and apart from a resource. I don't think that fits any mental model that people will inherently grock. The most intuitive relationship is the one I stated above: Resources have owners and if they have ACLs, such ACLs are a reflection of the wishes of the owner(s), an may thereby be seen as attributes.

The "real answer" is that it means whatever you want it to mean, within your own constructs.

RT