Information Technology Reference
In-Depth Information
Access Control Methods
Generally,
access control
is the selective restriction of access to a place or resource. The act
of accessing may be entering, consuming, or using. Permission to access a resource requires
prior authorization. Specifically, access control is identifying a person doing a specific job.
This involves authentication by proof of identification and granting access to accessible
resources only. The proof of identification would be username, password, and key files.
Access privileges would refer to the right level of permissions per resource granted to the
user to perform the job.
The following access control models are used to grant the allowed privileges to
individuals:
■
Role-based access control (RBAC)
■
Mandatory access control (MAC)
■
Discretionary access control (DAC)
■
Rule-based multifactor access control (RB-RBAC)
These models are explained in detail in the following sections, and we will also look at
multifactor authentication, single sign-on, and federation.
Role-Based Access Control
The
role-based access control
model provides access based on the position of an individual
in an organization. Template profiles are created and used to assign permissions automati-
cally. For example, if a person holds the position of a manager in an organization, the role
profile of the manager would be enough to assign permissions to that person. This makes
life easier for the system administrator and DevOps team. However, an issue arises if the
manager requires access to some other resources that the role does not allow by default.
In this case, a manual workaround is needed to allow supra-role permissions.
Mandatory Access Control
With the
mandatory access control
(MAC) model, the end user has no control over any
settings that configure privileges for anyone. There are two security models associated with
MAC: Biba and Bell-LaPadula. The Biba model is focused on the integrity of the informa-
tion, while the Bell-LaPadula model focuses on the confidentiality of the information.
Biba is used when a user with low-level clearance can read higher-level information (com-
monly referred to as
read up
) and a user with high-level clearance can write for lower levels
of clearance (called
write down
). Biba is commonly used in organizations where employees
can read managerial or executive stuff and managers or executives can write to inform
employees.
The Bell-LaPadula model is set up so that a user can write only to a level they belong
to but no lower (called
write-up
). However, the user can read at lower levels (called
read
down
). This model is used in government and military organizations.
Search WWH ::
Custom Search