No announcement yet.

Access Control Models

  • Filter
  • Time
  • Show
Clear All
new posts

  • Access Control Models

    There are four basic categories of Access Control when discussing operating systems. These define how data access is controlled. Even though these may overlap here they are:

    Discretionary Access Control (DAC) is what most windows and *nix systems use.
    These have the common Read, Write and Execute permissions available. In the DAC the administrator have the privileges to assign permissions to files and folders for a paticular user. The User that create data is the data owner meaning that if a user creates a folder the user is then the owner of that folder. This then allows the user the share folders and let other individual users access it.

    Mandatory Access Control (MAC) see data as objects that have sensetivity/security labels also refered to categories with a sertain Classification. The well known SELinux by NSA fall into the MAC category even though it also has DAC features. The MAC uses Clasification levels and clearances meaning this works on a need-to-know basis. A user can not decide to share data with other users. Data is only available to users in a paticular Clasification.

    Role-Based Access Control (RBAC) uses containers/roles called OIs and users are put into these containers. Permissions are set on the container so the roles on the OI dictate what the user is able to do. A user is assigned a container to get a certain role. Operating systems using RBAC uses ACLs - Access Control Lists and are often used in managed routers, switches firewalls etc.

    Content-Dependent Access Control (CDAC) is the last type. This kind of access control are used in databases. The restrictions in CDAC is put into Views.
    A View is a behind-the-scene wrapper query that limits a SQL query in seeing more than it is supposed to.
    Certified Security Geek