Types of Access Control

Types of Access Control

Non-discretionary access control

Access is set and controlled by the overall security administrator.
Users do not have the capability to change, modify or set the ownership/access to objects

Mandatory access control

The system owner sets the access levels and users are put into different categories with different access levels.
Famous example: SELinux

Discretionary Access Control – DAC

Owner of the object decides the level of privilege that a user can have

RSBAC – rule-set based access control

Ø  Linux-based.
Ø  Exists since 1996, active development since 2000
Ø  Works at kernel level
Ø  Based on GFAC – generalized framework for access control
Several modules:
·        MAC – Mandatory access control
·        PM – Primary module
·        FC – Function control module
·        FF – File flag module
·        MS – Malware scan module
·        RC – Role compatibility module  
·        SIM – Security information modification module
·        Auth – Authentication module
·        ACL – Access control list module

RBAC – role based access control

Access is based on the role that a certain user has – access level to which is decided by the owner



CUI – constrained user interface

Ø  The user is only shown the options that he is allowed access to.
Ø  Similar to VBAC – view-based access control.
The user is only shown a view that displays options available at his access-level

CDAC – content dependent access control

Ø  Based on GFAC
Ø  Access is granted or denied based on the content and its level of secrecy or sensitivity.

CBAC – context-based access control

Ø  Works on context, or sequence of events that are detectable.
Ø  Mostly used in Firewalls.
Ø  Could be used to deny access based on how many requests are being sent in for access to a certain object. Or what sequence the requests are coming in.

TRBAC – Temporal role based access control

Ø  Time-based and Roles based.
Ø  The role is based on time that has been decided by the owner.
Ø  Could be a certain time-zone or a certain time-based window that the access is based upon.

No comments:

Powered by Blogger.