Thursday, September 19, 2013

Access Control Models

Access control models provide a framework for how users access content. There exists three primary models that are used today. These are discretionary access control, mandatory access control, and role based access control. Each has it's own merits and limitations and is built into the core or the kernel of the operating system to control how users obtain access to objects.

Discretionary Access Control

Discretionary Access Control (DAC) is perhaps the most familiar access control model. Many current operating systems are based on this model. Under DAC, whoever creates a file is considered the owner and is able to control who can access it. The owner may allow certain users only read privileges while giving others read and write privileges, or none at all.

Access under DAC is user focused. Each user may have different access settings pertaining to each file. This is commonly enforced through an access control list. An example ACL can be viewed below.


In the example Jeanne, Joe, and Jim are each granted unique permissions in reference to the object. These permissions can be changed at any time by the object owner.




While the DAC model allows for a lot of flexibility, it can create irregularities throughout the organization. Since each user is left to determine who should be allowed what type of access to their objects, it is easy for too much access to be given away.

Mandatory Access Control

Mandatory access control (MAC) is what most people think of when they think of governments. Access is predicated on the subject having a certain level of clearance to be able to access an object. Terms such as 'confidential', 'privileged', and 'top secret' are common in this control model. Many of the rights and abilities users normally have are stripped away. Users will rarely be able to install software, change file permissions, add new users, etc.

MAC is much more rigid and strict. Users are allowed to use systems in only very specific ways. This type of environment is appropriate for organizations that greatly value system security, such as governments. Access is enforced through the use of sensitivity labels. These labels detail what level of clearance a subject and object have. Typically, clearance works in a hierarchical manner, meaning that if you have been cleared to access objects labeled 'top secret', you can also access any objects ranked below that in clearance.

Sensitivity labels do not only deal with clearance, however. They also contain what categories a subject or object belongs to. So while Jim may have top secret clearance, if he is listed as being in category Research and Development, he will not be able to access any objects that are in a different category, such as Finance, even if the object is ranked below top secret clearance. This is commonly referred to as a 'need to know'. In this case, Jim does not have a need to know about the objects within Finance.

Role Based Access Control

Role based access control (RBAC) is becoming one of the most predominant models used in businesses today. RBAC is based on assigning users to roles that describe their job function, such as marketing. Administration then maps what access controls are allowed and disabled for each role. This technique is useful for large organizations that have a high turnover rate. If Jim from marketing decides to leave it is a simple tasks to remove his account from the marketing role. Then when Jan starts she can quickly be mapped to the marketing role, and she'll have all the rights granted to that position.

RBAC is a centrally administered model and this can help control what level of access each user has. While a company may have thousands of employees, there may only be tens of roles. It is a much simpler tasks to define and outline what privileges each role should have rather than dealing with it on an employee by employee basis.

Some RBAC models include a hierarchical component. In these models, roles that are higher on the hierarchy inherit the privileges of lower roles. For instance, a nurse may be allowed to only read patient information, while a doctor would inherit this right and additionally be able to edit the information. It is important that if an organization implements a hierarchical based model they be sure to take precautions to prevent fraud. A manager working in accounts payable should not be given the privilege to also create invoices, even if this right is granted to a lower role.

1 comment: