Chapter 4

Access Control
 Source: Based on [SAND94].

Source: Based on [SAND94].

 Access Control Principles
• In a broad sense, all of computer security is concerned with access control

• RFC 4949 defines computer security as:

“measures that implement and assure security services in a computer system, particularly those that assure
access control service”

NISTIR 7298 defines access control as:

“the process of granting or denying specific requests to:

(1) obtain and use information and related information processing services; and
(2) enter specific physical facilities”

RFC 4949 defines access control as:

“a process by which use of system resources is regulated according to a security policy and is permitted
only by authorized entities (users, programs, processes, or other systems) according to that policy”
 Access Control Context

The context of access control, in addition to access control, involves the following entities and functions:

• Authentication: Verification that the credentials of a user or other system entity are valid.

• Authorization: The granting of a right or permission to a system entity to access a system resource.
This function determines who is trusted for a given purpose.

• Audit: An independent review and examination of system records and activities in order to test for
adequacy of system controls, to ensure compliance with established policy and operational procedures, to
detect breaches in security, and to recommend any indicated changes in control, policy and procedures.

An auditing function monitors and keeps a record of user accesses to system resources.

All operating systems have at least a rudimentary, and in many cases a quite robust, access control
component. Add-on security packages can supplement the native access control capabilities of the
OS. Particular applications or utilities, such as a database management system, also incorporate
access control functions. External devices, such as firewalls, can also provide access control services.
 The Basic Elements of Access Control
Subjects, Objects, and Access Rights

Access
Subject Object
right

An entity capable of A resource to which Describes the way in

which a subject may
accessing objects access is controlled access an object

Three classes Entity used to contain and/or Could include:

receive information
• Owner • Read ( view, copy, print)
• Group • Write (add, modify, delete,
read)
• World
The number and types of objects to be • Execute
protected by an access control system • Delete
depends on the environment in which • Create
access control operates and the desired • Search
tradeoff between security on the one hand
and complexity, processing burden, and
ease of use on the other hand.
 Table 4.1

Authorization Table
for Files in Authorization
Database
 Access Control Policies
An access control policy dictates what types of access are
permitted, under what circumstances, and by whom. Access
control policies are generally grouped into the following
categories:

Discretionary access Mandatory access Role-based access Attribute-based access

control control control control
(DAC) (MAC) (RBAC) (ABAC)

Access control based on user Access control based on

Access control based on the attributes associated with and
Access control based on roles (that is, a collection of
identity of the requestor access authorizations a user about subjects, objects,
comparing security labels
and on access rules receives based on an explicit targets, initiators, resources,
(which indicate how
(authorizations) stating or implicit assumption of a or the environment
sensitive or critical system
what requestors are (or are given role)
resources are) with security
not) allowed to do
clearances (which indicate
system entities are eligible
to access certain resources)
An access control rule set
defines the combination of
Role permissions can be
The controls are inherited through a role
attributes under which an
discretionary in the sense access takes place
hierarchy and typically reflect
that a subject with a the permissions needed to
certain access permission This policy is termed perform defined functions
is capable of passing that mandatory because an within an organization
permission (perhaps entity that has clearance to
indirectly) on to any other access a resource may not,
subject just by its own volition,
enable another entity to
access that resource
A given role can apply to a single
individual or to several individuals
 Discretionary Access Control (DAC)

• DAC enable the owner of a resource to specify which user can access
specific resources. It’s based on the discretion of the owner.
• Often provided using an access matrix
o One dimension consists of identified subjects that may attempt data access
to the resources
o The other dimension lists the objects that may be accessed
• Each entry in the matrix indicates
the access rights of a particular
subject for a particular object
 UNIX
File Access Control/ Access Matrix
 Specify read, write, and execute permission for the owner of the file,
members of the group and all other users
 Mandatory Access Control (MAC)

• Access decisions are based on security clearance of subjects and classification of

objects.
• Each subject has a profile, which includes clearance.
• Each object has a security label which contains the classifications.
• Used in systems where security is critical, such as in the military.
• Each object is given a sensitivity label, and is accessible only to users who are
cleared up to that particular level.
• Common classification: highly sensitive, sensitive, confidential, non-classified.
• Called non- Discretionary ACL
 Role-based Access Control (RBAC)

o RABAC is based on the roles that users assume in a system

o RBAC typically defines a role as a job function within an
organization
o RBAC assigns access rights to roles instead of individual
users. Users are assigned to different roles, either statically or
dynamically, according to their responsibilities.
Permissions
are given to
the roles
rather than
users
Example
RBAC
Models
Scope RBAC Models
 Role hierarchies – RBAC1
- Role hierarchies provide a means of reflecting the hierarchical structure of roles in an organization.

- Typically, job functions with greater responsibility have greater authority to access resources.

- A subordinate job function may have a subset of the access rights of the superior job function.

- Role hierarchies make use of the concept of inheritance to enable one role to implicitly include
access rights associated with a subordinate role.

Next, Figure 4.9 is an example of a diagram of a role hierarchy. By convention, subordinate roles are
lower in the diagram.

- A line between two roles implies that the upper role includes all of the access rights of the lower
role, as well as other access rights not available to the lower role.

- One role can inherit access rights from multiple subordinate roles. For example, in Figure 4.9, the
Project Lead role includes all of the access rights of the Production Engineer role and of the Quality
Engineer role.

- More than one role can inherit from the same subordinate role. For example, both the Production
Engineer role and the Quality Engineer role include all of the access rights of the Engineer role.

- Additional access rights are also assigned to the Production Engineer Role and a different set of
additional access rights are assigned to the Quality Engineer role. Thus, these two roles have
overlapping access rights, namely the access rights they share with the Engineer role.
Example of Role Hierarchy
 Constraints - RBAC
• Provide a means of adapting RBAC to the specifics of administrative and
security policies of an organization
• A defined relationship among roles or a condition related to roles
• Types:

Mutually exclusive roles Cardinality Prerequisite roles

• A user can only be assigned • Setting a maximum number of • Dictates that a user can only
to one role in the set (either users with respect to roles be assigned to a particular
during a session or statically) • A maximum the number of role if it is already assigned
roles that a user is assigned to to some other specified role
• Any permission (access • a maximum number of roles
right) can be granted to only that can be granted a particular
one role in the set permission
Case Study: RBAC System for a Bank
 Attribute-Based Access Control
(ABAC)

Main obstacle to its

adoption in real systems
Can define
has been concern about
authorizations that
Strength is its flexibility the performance impact
express conditions on
and expressive power of evaluating predicates
properties of both the
on both resource and
resource and the subject
user properties for each
access
Attribute-Based Access

Control (ABAC)

Relies upon the

evaluation of attributes
Distinguishable because
of the subject, attributes
it controls access to
of the object, and a
objects by evaluating
formal relationship or
rules against the
access control rule
attributes of entities,
defining the allowable
operations, and the
operations for subject-
environment relevant to
object attribute
a request
combinations in a given
environment

Allows an unlimited
Systems are capable of
number of attributes to
enforcing DAC, RBAC,
be combined to satisfy
and MAC concepts
any access control rule
 ABAC Model: Attributes
Object Subject Environment
Attributes Attributes Attributes
• An object (or resource) is a • A subject is an active entity • Describe the operational, technical, and even
situational environment or context in which
passive information system- that causes information to the information access occurs
related entity containing or flow among objects or
receiving information changes the system state
• such as current date and time, the
• Objects have attributes that • Attributes define the identity current virus/hacker activities, and the
network’s security level are not
can be leverages to make and characteristics of the associated with a particular subject nor a
access control decisions subject resource, but may nonetheless be
relevant in applying an access control
• Include: subject policy.
• A Microsoft Word
document, for example, identifier, name, • These attributes have so far been largely
may have attributes organization, job title, ignored in most access control policies
such as title, subject, and so on. A subject’s
date, and author. role can also be viewed
as an attribute.
ABAC Attributes Examples
 ABAC
Scenario
 ABAC Policies
A policy is a set of rules and relationships that govern allowable behavior
within an organization, based on the privileges of subjects and how
resources or objects are to be protected under which environment
conditions

Privileges represent the authorized behavior of a subject

Typically and are defined by an authority and embodied in a policy
written
from the
perspectiv
e of the
object that
needs
protecting
and the Other terms commonly used instead of privileges are: rights,
privileges authorizations, and entitlements
available
to subjects
 Summary
• Access control principles • Attribute-based
o Access control context access control
o Access control policies o Attributes
• Subjects, objects, and access o ABAC logical architecture
o ABAC policies
rights
• Discretionary access control
o Access control model
o Protection domains

• UNIX file access control

o Traditional UNIX file access control
o Access control lists in UNIX

• Role-based access control

o RBAC reference models