Information Technology Reference
In-Depth Information
of authorization, but they may be implemented on anonymously
provided resources as well, to prevent connections during update or
system maintenance cycles.
Explicit. Explicit authorization or denial includes those connectiv-
ity rights that are assigned directly to an identity. In some authoriza-
tion systems, explicit access may override implicit or inherited causes
for access denial, while in other solutions, any denial always wins.
Implicit. Implicit authorization or denial includes those connec-
tivity rights present due to default or unassigned privilege. Default
share permissions and exposed services may allow access to default
identities such as the Everyone pseudo-identity, allowing implied
access rights to be provided to all accounts except those that have
been restricted through other assignment.
Inherited. Inherited authorization or denial includes those con-
nectivity rights assigned to an identity as a result of membership
in a group or role. Because inherited access rights are passed from
one group or role to subordinate ones, inherited rights can become
complex and difficult to troubleshoot without careful planning and
documentation. Role-based access control solutions make use of
inherited rights and restrictions.
Mandatory. Mandatory access controls (MACs) are applied using
a set of classifications and categorizations applied by the secu-
rity administrator to the requesting identity and to the requested
resource. Only when the requesting identity has the necessary level
of access in both classification and category will the requested
resource become available. Highly secure network environments use
this system of access control, which requires a great deal of man-
agement over the assignment and maintenance of classification and
categorization labels for all resources and identities.
Discretionary. Discretionary access controls (DACs) manage
resource availability based on the resource owner's preference. This
is the most commonly used form of access control in corporate envi-
ronments, where file ownership allows direct assignment of access
rights and restrictions to other identities or identity groups. Because
ownership allows the assignment of rights to further assign access
rights, DAC solutions can quickly become very complex and risk
exposing resources to unanticipated third parties unless there are
strong policies and careful segregation of resource pools.
Search WWH ::




Custom Search