Database Reference
In-Depth Information
The star property allows a lower security level subject to write data
to a higher security level object. This can result in overwriting and
therefore modifying of higher security level objects by lower security
level subjects. Thus, MLS enforces a stronger star property to restrict
each subject to write at his own security level:
• Strong star property: A subject is allowed to write to an object
if the subject's security clearance level is equal to the object's
security classification level.
1.3.3 Role-Based Access Control
The main motivation behind role-based access control (RBAC) is the
necessity to simulate the structure of the natural security policies of
the organization. RBAC is based on the roles that users have. Roles
are similar to those of the user groups in access controls.
In RBAC, a role is defined as a group of actions and duties belonging
to a specific activity [15]. The role may present a user's job (e.g., buyer),
or it may define an action that the user should do (e.g., order material).
Instead of defining all the permissions to each one of the users that
performs the same task, permissions on objects can be defined for roles.
The user that is assigned to a role can perform all actions that the role is
authorized to do. The components of RBAC can be described as follows:
• Role-permission relationships: This component manages
granting/revoking permission to a specific role.
• User-role relationships: This component defines how to assign
users to a specific role.
• Role-role relationships: This component defines how to make
a role a member of another role.
RBAC has three security principles:
• Least privilege: RBAC allows a user to access objects with the
least privilege required for the specific task that is needed to
be performed. This minimizes the Trojan horses attack.
• Separation of duties: RBAC ensures that no user has enough
privileges to misuse the system on his own.
• Data abstraction: This is supported by means of abstract priv-
ileges such as credit and debit for an account.
Search WWH ::
Custom Search