Access Control

Chapter 4 - "Access Control"

"Access Control" is the defense against unauthorized access and misuse of resources. It is central to computer security.

Access Control Principles

Access control principles help determine who can access what, under what conditions.

Discretionary Access Control (DAC)

DAC is based on identities and rules determining what the requester is allowed.

Mandatory Access Control (MAC)

MAC is based on security labels and security clearances.

Role-Based Access Control (RBAC)

RBAC is based on user roles in the system.

Access Control Requirements

Access Control Requirements involve obtaining reliable input, creating specific specifications, and using the principle of least privilege.

Reliable Input

Consistent and reliable input is vital for maintaining secure access control.

Fine-Grained and Coarse-Grained Specifications

These specifications ensure control over detailed or broader aspects of the system.

Principle of Least Privilege

This principle restricts access rights for users to the bare minimum they need to complete their tasks.

Access Control Elements

Access control encompasses subjects, objects, and access rights.


Subjects are entities with access rights.

Subjects are typically classified into three categories: owner, group, and world.


Objects are resources being accessed.

Access Rights

Access rights are permissions such as read, write, and execute.

Access Control Function

Access control function determines if a subject's requested action on an object is allowed.

Role-Based Access Control (RBAC)

RBAC systems assign rights to roles instead of individual users.

RBAC Reference Models

RBAC reference models include RBAC0 to RBAC3, each with different functionalities.


RBAC0 contains basic entities for an RBAC system.


RBAC1 allows for role hierarchies and inheritance of permissions.


RBAC2 includes constraints to regulate RBAC components configurations.


RBAC3 combines functionalities of RBAC0 to RBAC2.