[CCCure CISSP] confused:rule-based access control belongs to MAC or RBAC
Lu Yaling
yaling.lu at 163.com
Sun Feb 14 01:56:28 EST 2010
Hi all,
I see a question from cccure.org
The rule-based access control where access is determined by rules is a type
of:
A Discretionary Access Control
B Mandatory Access control
C Non-Discretionary Access Control
D Lattice-based Access control
Answer is C Non-discretionary access control, and the explain is:
Rule-based access control is a type of non-discretionary access control
because this access is determined by rules and the subject does not decide
what those rules will be, the rules are uniformly applied to ALL of the
users or subjects.
NOTE FROM CLEMENT:
Lot of people tend to confuse MAC and Rule Based Access Control.
Mandatory Access Control must make use of LABELS as well. If there is only
rules and no label, it cannot be Mandatory Access Control. This is why they
use they call it Non Discretionary Access control. In MAC subjects must
have clearance to access sensitive objects. Objects have labels that
contain the classification to indicate the sensitivity of the object and the
label also has categories to enforce the need to know.
Today the best example of rule based access control would be a firewall.
All rules are imposed globally to any user attempting to connect through the
device. This is NOT the case with MAC.
I am really confused about the answer, from the AIO book v4 page 218:
Rule-based access allows a developer to define specific and detailed
situations in which a subject can or cannot access an object, and what that
subject can do once access is granted. Traditionally, rule-based access
control has been used in MAC systems as an enforcement mechanism of the
complex rules of access that MAC systems provide. Today, rule-based access
is used in other types of systems and applications as well.
Appreciate someone could clarify it?
Regards
Yaling Lu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20100214/929d5424/attachment.html>
More information about the CISSPstudy
mailing list