DACS DACS - The Distributed Access Control System

About DACS

DACS is designed, implemented, and owned by DSS, a small, privately-held software development house that creates leading-edge, professional quality open source software. Our goal is to produce software that is powerful yet as simple as possible.

Development of DACS began in May, 2001, funded in part by GeoConnections. A key component [0-broken, 1-broken, 2] of Canada's National Forest Information System (NFIS) for many years, DACS is currently deployed on over 20 servers across more than a dozen jurisdictions spanning the country to provide authentication and role provisioning capabilities for the Canadian Forest Service Network (CFSNet). Canadian federal and provincial government departments, programs, and initiatives use DACS to secure their web resources. Additionally, DACS is actively used:

Several GNU/Linux-based distributions, such as Debian, Ubuntu, and Linux Mint include DACS as a package. Although DSS helps to facilitate those packages, we do not prepare, maintain, or test them for those specific platforms. The Debian project uses DACS for its single sign-on system for web services.

Although it is a general-purpose system, DACS has been deployed in support of web-based applications in the geospatial domain and has been the subject of three Open Geospatial Consortium initiatives (CIPI 1.1, CIPI 1.2, and OWS-3).

References from DACS installations are available upon request.

In collaboration with Metalogic Software Corp., which has contributed to the testing, demonstration, and design of DACS, DSS provides technical support for DACS.

If you are unfamiliar with DACS, the information in our Resources area is a good place to start. Complete technical documentation for the current release is also available.


DACS provides web site administrators and software developers with a coherent and simple external framework for describing and enforcing access control based on user identity, resource attributes, and context. In the same way that developers use existing software libraries (such as math, cryptographic, graphics, and LDAP support functions), databases, and other reusable components instead of implementing them from scratch, DACS lets programmers delegate the hard parts of authentication, authorization checking, and single sign-on to a system specifically designed for that purpose. And it lets them, and web site administrators, reap the benefits without a large investment in software and training.

DACS gives you:

While programmers have long accepted the benefits of adopting third-party solutions that involve considerable domain-specific knowledge and which are challenging to develop, they continue to reimplement their own access control and authentication solutions. Why? The disadvantages are obvious. Application-specific user accounts and passwords proliferate. Each application adopts its own conventions, languages, and syntaxes. If integration with an external authentication framework is required, each application implements its own interfaces to it. Following this approach increases software development and maintenance costs, and results in complicated and fragile software that is more expensive to administer and unpleasant for its users.

Single sign-on systems (and identity management systems) have been the next Big Thing for years, with trade magazines regularly trotting out cover stories on them. Still, these systems are catching on very slowly for web-based applications. With all of the advantages that they promise, why should this be? We think there are several major issues:

  1. Fear of Complexity
    Frequently, potential users of these technologies don't quite understand what single sign-on, authentication, and access control are, how they work, and how they interoperate. Or, they think they do until it is time to face some of the subtleties of deploying these technologies in their computing environment. And there is a sense that making the wrong decision would be much worse than falling back on simpler, well-understood methods. It is difficult to trust something that you do not understand or are uncomfortable with, particularly in the realm of computer system security.

    Many of the articles on these subjects are framed in terms of the Big Picture, where everyone has a single digital identity that is universally recognized and single sign-on greases the gears of web-based commerce so that a consumer can conveniently buy a DVD from one vendor, purchase concert tickets from another, access his corporate intranet, and file his income tax return, without having to sign on at each web site. We hear talk of "consumer identity software" that "ties together services and software, consumers and businesses". This is bound to scare away organizations, businesses, institutions, federations, and schools that are only concerned with finding the simplest solution to their "small" problem, which typically involves securely and conveniently controlling access to web-based resources located on one or more of their servers.

    Are the solutions that you need the same as those developed to address the problems of large corporations and e-commerce?

    Some organizations do indeed have complicated authentication and authorization requirements and have a legitimate fear of making changes that could cause grief to users, make extra work for system administrators, or introduce security problems. One of the consequences of this, however, is that over time they tend to accumulate jungles of authentication and security dependencies that they dare not touch. That is, until there is a major security breach or things suddenly stop working.

    Solutions aimed at the "enterprise level" are invariably difficult to understand and learn, and complicated to use. This increases the fear factor of potential adoptees and decreases their ability to customize and build on the solutions. With DACS, we focus on providing solutions that are as simple as possible (but no simpler).

  2. Lack of Suitable Solutions
    Throughout the DACS documentation we emphasize that DACS is flexible. What we mean is that we do not presume to know very much about your particular authentication and access control requirements. Every organization is different in these respects and rigid, inflexible software will necessarily force you to do things its way. Consequently, one of the tenets behind DACS is that it must provide a wide range of solutions and be easy to extend and configure. Whenever possible, its modular design and implementation gives administrators with alternatives and, especially, ways of leveraging existing software and user accounts to reduce administrative effort so that it can do things your way instead of vice versa. Provided the DACS architecture is appropriate for your computing environment, you should be confident that it can meet your single sign-on or access control requirements.

    DACS is increasingly programmable and extensible. While it can solve many kinds of authentication and authorization checking problems out-of-the-box, DACS can also be viewed as a toolbox from which a wide spectrum of solutions can be assembled, even ones unforeseen by its creators.

  3. Expense
    When considering adopting a significant software component, of course there's the expense of the software itself to consider, including on-going licensing and maintenance costs, but also the hidden costs (in time and salary) of installing, learning, configuring, upgrading, and continually administering the software. One of the promises of single sign-on is to save money, and it sometimes can, but when considering alternatives remember: large solutions usually cost large dollars.

    DACS, which is free to most users, provides the cost savings of single sign-on while keeping administrative overhead down. DACS may lack some of the bells and whistles of similar software, but how much are you willing to pay for them? Should DACS not provide all of the features and capabilities that you require, you can build customizations in-house or contact us for information, advice, or development services to extend DACS to meet your needs.

  4. Risk
    It is far from clear in the long run whether a particular technology or vendor's implementation will win out in this arena, or even whether any of the current crop of approaches will catch on. This makes any significant investment in these systems risky. Because in many cases it costs nothing to use, and excellent, low-cost technical support is available should you need it, DACS gives you a low-risk way to become familiar with the basic technologies while developing a better understanding of your organization's needs.

    Because most of the technologies used by "enterprise level" solutions were developed by big industry players or consortia, some observers have questions about intellectual property issues [1, 2] that surround these solutions and how they will affect this sector of the software industry.

Here are a few characteristics of DACS that we think you should carefully consider when comparing it against alternative solutions:

Why Not DACS?

Perhaps we can save you some time by touching on why you might look elsewhere for single sign-on, authentication, or authorization technologies. Here are some things that might be important to you:

$Id: $