Access Control
Chapter 4 - "Access Control"
"Access Control" is the defense against unauthorized access and misuse of resources. It is central to computer security.
Access Control Principles
Access control principles help determine who can access what, under what conditions.
Discretionary Access Control (DAC)
DAC is based on identities and rules determining what the requester is allowed.
Mandatory Access Control (MAC)
MAC is based on security labels and security clearances.
Role-Based Access Control (RBAC)
RBAC is based on user roles in the system.
Access Control Requirements
Access Control Requirements involve obtaining reliable input, creating specific specifications, and using the principle of least privilege.
Reliable Input
Consistent and reliable input is vital for maintaining secure access control.
Fine-Grained and Coarse-Grained Specifications
These specifications ensure control over detailed or broader aspects of the system.
Principle of Least Privilege
This principle restricts access rights for users to the bare minimum they need to complete their tasks.
Access Control Elements
Access control encompasses subjects, objects, and access rights.
Subjects
Subjects are entities with access rights.
Subjects are typically classified into three categories: owner, group, and world.
Objects
Objects are resources being accessed.
Access Rights
Access rights are permissions such as read, write, and execute.
Access Control Function
Access control function determines if a subject's requested action on an object is allowed.
Role-Based Access Control (RBAC)
RBAC systems assign rights to roles instead of individual users.
RBAC Reference Models
RBAC reference models include RBAC0 to RBAC3, each with different functionalities.
RBAC0
RBAC0 contains basic entities for an RBAC system.
RBAC1
RBAC1 allows for role hierarchies and inheritance of permissions.
RBAC2
RBAC2 includes constraints to regulate RBAC components configurations.
RBAC3
RBAC3 combines functionalities of RBAC0 to RBAC2.