Access Control Models
(OBJ 4.6)
Different Types of Access Control Models
- Mandatory Access Control (MAC)
- Uses security labels to authorize resource access
- Requires assigning security labels to both users and resources
- Access is granted only if the user's label is equal to or higher than the resource's label
- Mandatory Access Control (MAC) is typically used in environments that require a high level of data security. In a MAC model, access permissions are regulated by a central authority, and users cannot modify their own permissions.
- Discretionary Access Control (DAC)
- Resource owners specify which users can access their resources
- Access control based on user identity, profile, or role
- Allows resource owners to grant access to specific users
- Example:
- File sharing
- Role-Based Access Control (RBAC)
- Assigns users to roles and assigns permissions to roles
- Normally implemented using Groups in a Windows environment
- Roles mimic the organization's hierarchy
- Enforces minimum privileges
- Effective for managing permissions based on job roles and turnover
- Assigns users to roles and assigns permissions to roles
- Rule-Based Access Control
- Enables administrators to apply security policies to all users
- Uses security rules or access control lists
- Policies can be changed quickly and frequently
- Applied across multiple users on a network segment
- Attribute-Based Access Control (ABAC)
- Considers various attributes like
- User Attributes
- User’s name, role, organization ID, or security clearance
- Environment Attributes
- Time of access, data location, and current organization’s threat level
- Resource Attributes
- File creation date, resource owner, file name, and data sensitivity
- User Attributes
- Access decisions are based on the combination of attributes
- Provides fine-grained control and dynamic access decisions
- Considers various attributes like
Access Control Extensions
- Time-of-Day Restrictions
- Limits access based on specific time periods
- Often used to complement other access control models
- Helps prevent unauthorized access during non-working hours
- Principle of Least Privilege
- Users are granted the minimum access required to perform their job functions
- Reduces the risk of misuse or accidental damage
- Regularly review and adjust permissions to prevent authorization creep
- Authorization Creep: Occurs when a user gains excessive rights during their career progression in the company
- Example:
- Getting new permissions to fulfill the new position requirements but not revoking the previous role respective permissions
- Implemented by applying one of the previous 5 methods