Chapter 4: Access Control

 

 

Access control is a very important part of computer security. The objectives of access control:

·         prevent unauthorized users from gaining access to resources

·         allow authorized  users to access resources according to their corresponding rights

Similar to user authentication, access control is implemented within a computer system as well as over a network. This chapter discusses only about access control within a system.

Note that access control mechanism is a guard between system resources such as applications, firewalls, different files etc and a user or a process executed by a user. You may think of access control mechanism as a function that, upon receiving a request from an authenticated user/process determines if the requested resource can be given to this user/process.

Section 4.1: Access Control Policies

·         Compare three different types of access control policies. Is it possible for an access control mechanism to employ both discretionary access control and mandatory access control? Why or why not?

·         Read about the important features that must be present in an access control system. Why should an access control system support principle of least privilege? Why should it support an open policy?

Section 4.2: Subjects, Objects and Access Rights ** Important

Read this section very carefully. Keep in mind that a subject is a process that wants to access an object i.e., a resource. Read the classification of subjects and access rights.

Section 4.3: Discretionary Access Control

Study figures 4.3, 4.4 and 4.5 carefully.

·         What steps are triggered by an access attempt?

·         Can a subject modify an access control matrix? Why or why not?

·         What is a protection domain? What advantage does it give to a system?

Section 4.4: UNIX File Access Control

Read this section carefully.

·         You must have noticed that permissions that apply to a directory are distinct from those that apply to a file or another directory contained in it. In other words, even if you have write access to the directory, you may not have write access to any file inside that directory. Why these permissions are kept distinct?

Section 4.5: Role-based Access Control

·         How is this different from DAC?

·         What are the entities in an RBAC₀ system? How do RBAC₁ and RBAC₂ add roll hierarchies and constraints?

·         What are mutually exclusive rolls? What is cardinality?

·         What are the salient features of NIST RBAC model?

Section 4.6: RBAC System in Bank

·         Why has the bank adopted RBAC instead of DAC?