Andrew, Please BE VERY CAREFUL in dealing with the concept of authority. A good example to illustrate why this is so is the 1988 Internet Worm. [Good Grief, that was almost SIX years ago.] Does the sendmail debug option require any authorization? NO. Did the exploitation of the finger flaw require any authorization? NO. Does using an entry in a .rhosts file require any authorization? NO. Does reading an encrypted password file require any authorization? MAYBE or MAYBE NOT, depending on the particular system. But then suppose you are LEGITIMATELY entitled to be superuser, and you maliciously do a dictionary attack on the password file. Does doing the dictionary attack require any (further) authorization? NO. As you can see, questions of exceeding authority are exceedingly sticky. Yes, without an explicit authorization policy, everything is murky. But all of the existing authorization policies still leave everything somewhat murky, except for a mandatory multilevel security policy implemented with lots of levels and millions of compartments and set up so that each special interest has its own compartment. Only then can you have a situation in which what is authorized is precisely that which is intended to be possible. Peter Neumann