CENG413

Information Security
Izmir Katip Celebi University
Fall 2024-2025

Lecture 02
H. Burak Akyol, Ph.D.

These slides are adapted from the lecture notes of D. Soper and the lecture notes of A. D. Brucker.
What is Access Control?
• Access control is a security mechanism that will determine who can
access a specific resource and what actions can they perform on that
resource.
• It can be seen as a set of rules and policies.
• In simple terms, access control involves:
• Verifying who you are
• Determining what you are allowed to do
• Based on that giving you permission to perform those actions on the
resources

2
Example
• For example, suppose you are logging into your
email account. First thing is it will ask you for your
user id and then password. This is to verify your
identity.
• Then, system checks to see what resources and
actions that you are authorized to access (based
on your user account, what does settings that you
have set.)
• Once this is done, the system gives you
permission to access your email and perform any
actions that you are authorized to do e.g., sending
emails, and receiving messages.

3
Access Control Models
• So, we use something called as access control models to determine
who can access a specific resource and what actions that they can
perform.
• This is a framework that is usually used in authentication and
authorization systems.
• An example of a simple access control model is a relation;
• Subject (users) × Object (resources) × Request (actions)

4
Access Control Models
• In reality, quite complex
• Might depend on the system state or context
• Subjects and permissions change over time
• Access rights might require the fulfillment of obligations
• Implementation bugs

5
Forms of Access Control
• Access control might come in various forms:
• Physical protection
• e.g., gates, turnstiles
• Network traffic
• e.g., firewalls
• Hardware
• e.g., memory management
• Operating system
• e.g., file system
• Application level
• e.g., Google login, databases
6
Access Control Models
• There are many different types of Access Control models. The main types are:
• Discretionary Access Control (DAC)
• Non-DAC systems
• Access Control Matrix (ACM)
• Role-Based Access Control (RBAC)
• Task-Based Access Control (TBAC)
• Rule-Based Access Control (Rule-BAC)
• Attribute-Based Access Control (ABAC)
• Mandatory Access Control (MAC)

7
Discretionary Access Control (DAC)
• The owner or creator or data custodian decides who can
access a resource and what level of access is granted.
• The owner of a resource is also the decision maker.
• DAC is implemented using access control lists (ACLs) on
objects.
• ACL is the list of permissions associated with a resource.
ACL specifies which users or processes or applications are
granted access to the objects.
• DAC is a decentralized system. The owner can change the
ACL whenever they want.
• DAC is an identity based model. Access permissions are
determined based on the identity of the user.

8
Pros and Cons of DAC Model
Pros
• Flexible
• Simple
• Cost Effective
Cons
• Security Risks
• Lack of Central Control
• Challenging to Manage
• Unscalable
9
Non-DAC Model
• The access to the resources is centrally managed. It is determined by
a central authority. It is not up to the discretion of the resources
owner to provide access.
• In non-DAC, the accesses are based on the policies and rules that are
set up by a central authority.
Pros Cons
* Security * Not Flexible
* Consistency * Complex to implement
* Easier management
* Scalable

10
Non-DAC model – sub-types
• There are many different types of non-DAC:
• Access Control Matrix (ACM)
• Role-Based Access Control (RBAC)
• Task-Based Access Control (TBAC)
• Rule-Based Access Control (Rule-BAC)
• Attribute-Based Access Control (ABAC)
• Mandatory Access Control (MAC)

11
Access Control Matrix (ACM)
• Based on the ideas of privileges of subjects on objects
• Subjects: users, processes, agents, groups, . . .
• Objects: data, files, memory banks, other processes, . . .
• Privileges: right to read, write, modify, remove, . . .
• Matrices have rows and columns; rows of ACM correspond to
subjects and columns correspond to resources that need to be
protected.
• ACM defines who can access what and with which privilege

12
Access Control Matrix (ACM)
• A protection state (relative to a set of privileges P is a triple (S,O,M):
• A set of current subjects S
• A set of current objects O
• An access control matrix M, defining
• the privileges for each (s, o) ∈ S × O,
• a relation S × O × P
(equivalently, a function S × O → P (P))
• Example:

13
Role-Based Access Control (RBAC)
• An access control matrix is most likely unmaintainable
• How can we formalize a policy for more than
• thousands or millions of subjects
• a similar number of objects
• Observation:
• Subjects (users) often have roles, e.g.,
• customer, employee, student
• Roles share the same rights, e.g.,
• students can attend lectures
• Core idea of RBAC:
• Create roles for job functions in enterprises
• Assign users to roles (based on their responsibilities)
• Assign a set of permissions to each role
RBAC decouples users and permissions by introducing roles
14
Role-Based Access Control (RBAC)
• RBAC is formalized by
• a set ROLES
• a set USERS
• a relation UA ⊂ USER × ROLES • UA: User Assignment
• a relation PA ⊂ ROLES × PERMISSION • PA: Privilege Assignment
• The access control model is: • AC: Access Control Model
AC := UA ○ PA
• i.e.,
AC := {(u, p) ∈ Users x Permissions | Ǝr ∈ ROLES : (u, r) ∈ UA (r, p) ∈ PA}
Example:

15
Role-Based Access Control (RBAC)
Example
• Consider a simple university that has students, demonstrators, and lectures that
need to work with lecture material.
• The lecture material contains slides, exam papers, and solutions for exam papers.
• Let’s assume we have the following subjects and objects:
• Subjects: chris (lecturer), daniel (lecturer), ellie (demonstrator), alice (student), bob (student)
• Objects: ceng413_slides (slides), ceng413_exam (exampaper), ceng413_solutions (solutions),

• Task: Model the following security policy using role-based access control (RBAC):
• lectures can read and write all types of lecture material
• demonstrators can read and write slides
• demonstrators can read exam papers and solutions
• students can read slides and exam papers
16
Role-Based Access Control (RBAC)
Solution (cont’d)
We start by defining the users and roles:
• ROLES = {lecturer, demonstrator, student}
• USERS = {chris, daniel, ellie, alice, bob}

Thereafter, we define the permissions:

• PERMISSIONS = {read_ceng413_slides, write_ceng413_slides, read_ceng413_exam,
write_ ceng413 _exam, read_ceng413_solutions, write_ceng413_solutions}

17
Role-Based Access Control (RBAC)
Solution (cont’d)
Now we can define the relations UA and PA:
• UA = {(chris, lecturer), (daniel, lecturer), (ellie, demonsrtator), (alice, student),
(bob, student)}

• PA = {(lecturer, read_ceng413_slides), (lecturer, write_ceng413_slides),

(lecturer, read_ceng413_exam), (lecturer, write_ceng413_exam),
(lecturer, read_ceng413_solutions), (lecturer, write_ceng413_solutions),
(demonstrator, read_ceng413_slides), (demonstrator, write_ceng413_slides),
(demonstrator, read_ceng413_exam), (demonstrator, read_ceng413_solutions),
(student, read_ceng413_slides), (student, read_ceng413_exam)}

• Our role-based access control configuration is now defined by AC = UA ○ PA

18
Role-Based Access Control (RBAC)
Solution (cont’d)

We can obtain the permission of bob by:

AC(bob) = (UA ○ PA)(bob)
= PA(UA(bob))
= PA(student)
= {read_ceng413_slides, read_ceng413_exam}

19
Beyond RBAC
• RBAC is very useful in dynamic environments, e.g., frequent employee changes –
admins can easily grant many permissions just by adding a new user to a group.
• TBAC (Task-Based Access Control) is very similar to RBAC. However, in TBAC, the
users are assigned to their tasks.
• In RuBAC (Rule-Based Access Control), access is provided based on a set of
predefined rules, filters, and restrictions.
• The rules are defined by the system admin
• These rules are global rules that are applied to all the subjects.
• E.g., Firewall
• ABAC (Attribute-Based Access Control) is an advanced implementation of RuBAC.
• It uses attributes of users, resources, and environmental conditions to make
access control decisions.

20
Mandatory Access Control (MAC)
• Used in high-level security environments, e.g., government, military

• In MAC, access to resources is controlled by a central authority based

on security labels assigned to resources and users.
• These labels determine the level of access a user or process has to a particular
resource.

Two different types:

• Hierarchical: enforces a strict hierarchical access policy where users can only
access resources at or below their clearance level.
• Compartment: enforces a principle of "need-to-know" and preventing
unauthorized access to sensitive information.
21
Mandatory Access Control (MAC)

22
 Mandatory Access Control (MAC)
Example
• Consider the multi-level security setting in which all files
are labelled with one label out of the adjacent set of
labels.
• Access by a user to a (labelled) file is granted if the user
has a sufficiently high clearance level (based on
hierarchical MAC).
• Note that labels in the upper part of the figure are more
confidential than labels at the lower part of the figure.
• Question1. Write down the user clearance level(s) required to read les that are labelled
“restricted”. Answer: {topsecret, secret, restricted}
• Question2. Write down the user clearance level(s) required to read files that are created
from the content of two files, one with the label “restricted” and one with the label
“internal”. Answer: {topsecret, secret} 23