Imagine that my EHR system were written in Java.  I might have

  class EHR {
    Person patient;      -- link to owner
    Medications meds ;   -- less sensitive
    TestResults tests;   -- more sensitive
    GymData gym ;        -- third party

    // assume a bunch of methods, getters, setters, etc
    TestResults getTests() {...}
    Medications getMeds() {...}
  }

Assume an authorization rule that Doctors can always read current
medications, but Nurses can only read them for patients on their floor
when they are on duty.  Nurses may never read test results.

How might we enforce this on getMeds at the code level?

------------------------------------
The ACL approach:

   Medications getMeds(Person reader) {
     if (reader.isDoctor() ||
         (reader.isNurse() && reader.onDuty() && 
          reader.onFloor.contains(this.patient))) {
       return this.meds;
     }
   }

   TestResults getTests (Person reader) { ...}

------------------------------------
The Policy Approach:

   Medications getMeds(Person reader) {
     if (Policy.allow(reader, "getMeds", this.EHR)) {
        return this.meds;
     }
   }

------------------------------------
The Capabilities approach:

  When a Nurse reports for duty, the system generates a collection of
  EHRs for her patients, but these only give access to relevant data
  (in this case, the meds, but not Test results).

  Instead of ArrayList<EHR>, Nurse gets ArrayList<NurseEHR>, which is

  class NurseEHR {
    private EHR theEHR;
    NurseEHR(EHR forEHR) { this.theEHR = forEHR; }

    Medications getMeds() {
      return theEHR.getMeds();
    }
    // no method for getTests
}

------------------------------------

What if we want to write a function to allow a Nurse to consult the
NursingSupervisor (who has not been included in the policy)?

   With Caps, Nurse can send any NurseEHR to another method, which
   then has all the same privileges as the Nurse.

Useful, but not well controlled.  Need a back door ...

  class NurseEHR {
    private EHR theEHR ;
    private Boolean accessible ;

    NurseEHR(EHR forEHR) { this.theEHR = forEHR; }

    Medications getMeds() {
      if (this.accessible) 
        return theEHR.getMeds();
      else error
    }

    void Revoke () { this.accessible = false; }
  }

Capabilities require revocation mechanisms.  Data such as "accessible"
are a form of policy, so Capabilities include policy aspects as well
(though they limit the policies to dynamically-changing criteria).

----------------------------------
Key Difference: Time of Credential Check

In ACLs, a request to do something consists of a subject, action,
resource and other credentials (attributes).  These are checked
against the table when the action is about to be performed.

In Capabilities, a request consists of an action, resource, and a list
of permissions from the table that are allowed.  These are checked
when the capabilitity is about to be issued.