ACL (access control lists) generic design questions

[William Herrera <wherrera () skylightview com>]

Hello folks,

I think some here might have suggestions about improvements to existing ACL's.

I'm working on an extensible access-control-list style authorization 
system, beyond the usual read/write authorization schemes, probably to be 
written as a Perl module for CGI use and using a database on the back end. 
This is designed to allow fine control over the use of data and other 
objects by a given user. Right now it mainly uses read/append/edit/delete 
modes, since in its present alpha form it has a well defined groupware use, 
but I intend to make it more flexible than that, generic enough to be used 
as a general-purpose open source perl object authorization module.


In doing so, I'd like to define modes of access beyond the ones allowed by 
Unix and Windows ACL's. These, so far, include:


list object (see the object in a ls or dir listing)

read or view object

append (simple data) to object

add link (to another object) within the object

edit (change existing object's data or structure)

delete object

undelete or roll back object to a prior state

administer (change object's authorizations or modes)

ownership (to be the creator of the object or equivalent)

Does anyone know of an access control type they've wanted in an access
control list but not had?