|
Sensitivity labels:
When MAC is used every subject and object must have a sensitivity label. It contains classification and different categories. The classification indicates the sensitivity level and the categories indicate which objects take on the classification.
RBAC / Role-based access control:
Also called nondiscretionary access control.
Uses a centrally administrated set of controls to determine how
subjects and objects interact.
Allows access to resources based on the role the user holds within the company.
RBAC models can use -
- Role-based access: Determined by the role the user has within the company.
- Task-based access: Determined by the task assigned to this user.
- Lattice-based access: Determined by the sensitivity level assigned to the role.
Access Control Techniques and Technologies
Techniques and technologies available to support different access control models.
Role-Based Access Control:
Based on the tasks and responsibilities that individuals need to accomplish to fulfil the obligations of their positions in the company.
RBAC can be used with -
- DAC, administrators can develop roles and owners can decide if these roles can have access to their resources.
- MAC, roles can be developed and sensitivity labels assigned to those roles indicating its security level.
Rule-Based Access Control:
Based on specific rules that indicate what can and cannot happen to an object.
Is a type of MAC because the administrator sets the rules and the users cannot modify these controls.
Restricted Interfaces:
Restrict users' access abilities by not allowing them to request certain functions, information or have access to specific system resources.
Three types of restricted interfaces -
- Menus and shells: Users are only given the options of the commands they can execute.
- Database views: Are mechanisms used for restricting user access to data that is contained in databases.
- Physically constrained interfaces: Can be implemented by only providing certain keys on a keypad or touch buttons on a screen.
Access Control Matrix:
Is a table of subjects and objects indicating what actions individual subjects can take upon individual objects.
Is usually an attribute of DAC models and the access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs).
Capability Tables:
Specifies the access rights a certain subject possesses pertaining to specific objects.
The subject is bound to the capability table.
Is used in Kerberos.
|
|
