Date Added: Apr 2013
This paper aims to provide administrators with services for managing permissions in a distributed object system, by connecting business-level tasks to access controls on low level functions. Specifically, the techniques connect abilities (to complete externally invoked functions) to the access controls on individual functions, across all servers. The authors main results are the problem formalization, plus algorithms to synthesize \"Least privilege\" permissions for a given set of desired abilities. Desirable extensions and numerous research issues are identified.