What is Access Control
Access control is a security technique that can be used to regulate who or what can view or use resources in a computing environment.
There are two main types of access control: physical and logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access limits connections to computer networks, system files and data.
In discussing access control, mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC) are individual areas that take on a new meaning.
All three methods have varying uses when trying to define or limit access to resources, devices, or networks.
Mandatory Access Control
MAC components are present in UNIX, Linux, Microsoft’s Windows NT-based operating systems, Open BSD, and others. Mandatory controls are usually hard-coded, and set on each object or resource individually. MAC can be applied to any object within an operating system, and allows a high level of granularity and function in the granting or denying of access to the objects.
MAC can be applied to each object, and can control access by processes, applications, and users to the object. It cannot be modified by the owner or creator of the object. MAC relies on the system to control access.
You define the sensitivity of the resource by means of a security label. The security label is composed of a security level and zero or more security categories. The security level indicates a level or hierarchical classification of the information (for example, Restricted, Confidential, or Internal). The security category defines the category or group to which the information belongs (such as Project A or Project . Users can access only the information in a resource to which their security labels entitle them. If the user's security label does not have enough authority, the user cannot access the information in the resource.
To review briefly, MAC is:
Non-discretionary The control settings are hard coded and not modifiable by the user or owner.
Multilevel Control of access privileges is definable at multiple access levels.
Label-based May be used to control access to objects in a database.
Universally Applied Applied to all objects.
Discretionary Access Control
DAC is the setting of access permissions on an object that a user or application has created or has control of. This includes setting permissions on files, folders, and shared resources. The “owner” of the object in most OS environments applies discretionary access controls. This ownership may be transferred, or controlled by root or other superuser accounts in other systems.
It is important to understand that DAC is assigned or controlled by the owner, rather than being coded into the system. DAC does not allow the fine control available with MAC, but requires less coding and administration of individual files and resources.
Role-Based Access Control
Role-based access control (RBAC) is an approach to restricting system access to authorized users. It is nothing more than the idea of assigning system access to users based on their role in an organization.
The system needs of a given workforce are analyzed, with users grouped into roles based on common job responsibilities and system access needs. Then, access is assigned to each person based strictly on their role assignment. With tight adherence to access requirements established for each role, access management becomes much easier.
With the proper implementation of RBAC, the assignment of access rights becomes systematic and repeatable, once these controls are setup. Further, it is much easier to audit user rights, and to correct any issues identified.
In summary, RBAC is:
- Job based
- Highly configurable
- More flexible than MAC
- More precise than groups
Did you find this tutorial helpful? Don’t forget to share your views with us.