Select Page

Access Control Models

CISSP

Access control models are essential frameworks used to manage and regulate who can access specific objects in a system. These models utilize various authorization mechanisms to ensure security and proper access management. Here are the key concepts and mechanisms within access control models:

1. Implicit Deny:

  • Definition: Implicit Deny is a fundamental principle in access control. It ensures that access to an object is denied unless explicitly granted to a subject.
  • Application: If there is no rule allowing access, the default action is to deny access. This principle is critical in ensuring that only authorized users can access resources.

2. Access Control Matrix:

  • Definition: An Access Control Matrix is a table that defines the access permissions for different subjects (users or groups) to various objects (files, databases, systems).
  • Components:
    • Subjects: Users, groups, or roles attempting to access objects.
    • Objects: Resources or data that need protection.
    • Privileges: The specific actions (read, write, execute) that subjects can perform on objects.
  • Functionality: When a subject attempts an action, the system checks the matrix to see if the subject has the necessary privileges.

3. Capability Tables:

  • Definition: Capability Tables are similar to Access Control Lists (ACLs) but focus on subjects rather than objects.
  • Focus:
    • Subject-Oriented: Capability tables list all objects that a particular subject (like a user, group, or role) can access, along with the specific privileges assigned.
    • Example: A capability table for an “Accounting” role might include all files and systems that role can access and the specific actions it can perform on each.
  • Difference from ACLs:
    • ACLs: Object-focused, detailing the subjects allowed to access an object and what actions they can perform.
    • Capability Tables: Subject-focused, detailing the objects a subject can access.

4. Comparing Permissions, Rights, and Privileges:

  • Permissions:
    • Definition: Permissions refer to the specific access granted to an object, such as the ability to read, write, or execute a file.
    • Example: If a user has read permission for a document, they can open and view it but cannot modify it.
  • Rights:
    • Definition: Rights refer to the ability to perform specific actions on a system, beyond just accessing data.
    • Example: A right might include the ability to modify system time, restore files, or install software.
  • Privileges:
    • Definition: Privileges are the combination of rights and permissions.
    • Example: An administrator has full privileges, meaning they have all rights (such as installing software) and permissions (such as accessing all files).

Summary:

  • Implicit Deny ensures that only explicitly authorized actions are allowed.
  • Access Control Matrix provides a clear mapping of what each subject can do with each object.
  • Capability Tables offer a subject-focused view of what objects a subject can access and what they can do with them.
  • Permissions, Rights, and Privileges are distinct but related concepts that help define what users can do within a system.

These mechanisms are vital for enforcing security policies, ensuring that only authorized users have access to specific resources, and protecting sensitive information.

Latest Post:

Pin It on Pinterest