Professional Documents
Culture Documents
Handout 6 - Access Control
Handout 6 - Access Control
Access Control
Access Control Definition (1)
NISTIR 7298 defines access control as:
Access
Subject Object
right
OBJECTS
File 1 File 2 File 3 File 4
Own Own
User A Read Read
Write Write
Own
SUBJECTS User B Read Read Write Read
Write
Read Own
User C Read Read
Write Write
(a) Access matrix
OBJECTS
subjects files processes disk drives
S1 S2 S3 F1 F2 P1 P2 D1 D2
ss
as
s
as
a
12 protection bits that specifies
cl
cl
cl
r
er
ne
u
ro
th
w
read, write, and execute permission
O
rw- r-- ---
for the owner of the file,
user: :rw-
members of the group group::r--
and all other users other::---
s
as
s
as
as
cl
cl
cl
r
er
ne
u
ro
th
w
O
O
Traditional UNIX File Access Control
“Set user ID”(SetUID)
“Set group ID”(SetGID)
System temporarily uses rights of the file owner/group in
addition to the real user’s rights when making access control
decisions (only effective while the program is being executed)
Enables privileged programs to access files/resources not
generally accessible
Sticky bit: When applied to a directory it specifies that
only the owner of any file in the directory can rename,
move, or delete that file
Superuser:
Is exempt from usual access control restrictions
Has system-wide access
Access Control Lists (ACLs) in UNIX
Modern UNIX systems support ACLs
• FreeBSD, OpenBSD, Linux, Solaris
FreeBSD
• Setfacl command assigns a list of UNIX user IDs and groups
• Any number of users and groups can be associated with a file
• Read, write, execute protection bits
• A file does not need to have an ACL
• Includes an additional protection bit that indicates whether the file has an extended ACL
ss
s
as
la
as
cl
rc
cl
up
er
ne
ro
th
w
O
O
rw- rw- ---
user: :rw-
masked user:joe:rw-
entries group::r--
mask::rw-
other::---
(b) Extended access control list
Role-based Access Control Model
[RBAC]
Users Roles Resources
Role 1
Role 2
Role 3
U3
Access Control Matrix Representation of
U4
RBAC
U5
U6
R1 R2 Rn
U1
U2
Um
U3
U4
U5 OBJECTS
R1 R2 Rn F1 F1 P1 P2 D1 D2
U6
OBJECTS
R control write stop
R2 Rn F1 F1 P1 P2 Dn
1 D2
Engineer 1 Engineer 2
Engineering Dept
Constraints in RBAC
A constraint is a defined relationship among roles or a
condition related to roles
Provide a means of adapting RBAC to the specifics of
administrative and security policies of an organization
Types:
Mutually exclusive
Cardinality Prerequisite roles
roles
• A user can only be • Setting a maximum • Dictates that a user
assigned to one role number with respect can only be assigned
in the set (either to roles to a particular role if
during a session or it is already
statically) assigned to some
• Any permission other specified role
(access right) can be
granted to only one
role in the set
Attribute-Based Access Control (ABAC)
Main obstacle
to its adoption
Web services
in real systems
have been
Can define has been three key
pioneering
authorizations concern about elements to an
technologies
that express Strength is its the ABAC:
through the
conditions on flexibility and performance attributes,
introduction of
properties of expressive impact of policy model,
the eXtensible
both the power evaluating and
Access Control
resource and predicates on architecture
Markup
the subject both resource model
Language
and user
(XAMCL)
properties for
each access
ABAC Model: Attributes
Subject Object Environment
attributes attributes attributes
• A subject is an active • An object (or • Describe the
entity that causes resource) is a passive operational,
information to flow information system- technical, and even
among objects or related entity situational
changes the system containing or environment or
state receiving information context in which the
information access
• Attributes define the • Objects have occurs
identity and attributes that can • These attributes
characteristics of the be leverages to make have so far been
subject access control largely ignored in
decisions most access control
• Ex: identifier, name, • Ex: title, subject, policies
organization, job date, author,
title, subject’s role ... metadata, ... • Ex: current date and
time, network’s
security level (e.g.,
Internet vs. intranet)
ABAC
Allows an unlimited
Systems are capable of
number of attributes to
enforcing DAC, RBAC,
be combined to satisfy
and MAC concepts
any access control rule
ABAC Scenario
Subject Object Environmental
Attributes Attributes Attributes
2b 2c 2d
Permit
1 3
Access
control Deny
mechanism
Subject (user)
2a
Access Control
Policies
Typically
written Privileges represent the authorized behavior of a subject and
from the are defined by an authority and embodied in a policy
perspective
of the
object that
needs
protecting
and the Other terms commonly used instead of privileges are: rights,
privileges authorizations, and entitlements
available to
subjects
Identity, Credential, and Access
Management (ICAM)
A comprehensive approach to managing and implementing
digital identities, credentials, and access control
Developed by the U.S. government
Designed to:
Create trusted digital identity representations of individuals and
nonperson entities (NPEs)
Bind those identities to credentials that may serve as a proxy for the
individual of NPE in access transactions
A credential is an object or data structure that authoritatively binds
an identity to a token possessed and controlled by a subscriber
Use the credentials to provide authorized access to an agency’s
resources
ICAM – Identity, Credential, and Access
Management
Credential Management Identity Management
Background
Sponsorship Enrollment Investigation On-boarding
Credential
Issuance Production Authoritative Attribute Sources
Provisioning/Deprovisioning
External
Agency
Citizen
Access Management
Identity Federation
A credential is produced
• Depending on the credential type, production may involve
encryption, the use of a digital signature, the production of a smart
card or other functions
• Concerned with defining rules for a resource that requires access control
• Rules would include credential requirements and what user attributes,
resource attributes, and environmental conditions are required for access of
a given resource for a given function
Privilege management
Policy management
en e
em ic
O s
t
re rv
S) of
a g Se
a g Se
S) o f
re rv
O s
em ic
(T erm
en e
T
t
Users
Trust Framework
Providers
Identity Information Exchange
Approach
Case Study: RBAC System for a Bank
Functions and Roles for a Banking
Example
Functions and Roles for a Banking
Example
Example of Access Control
Administration
Human Resources Department Application Administration
Roles
User
IDs Functions
1 1-4 N M Access
Application
Right
Assigns
Positions
Authorization Administration
N M
Role Application
Thank You