Difference between

Authentication and
Authorization
Aspect Authentication Authorization
Definition Verifies the identity of a user or Determines what an
entity authenticated user or entity is
allowed to do
Primary Question Who are you? What are you allowed to do?
Purpose To confirm that the entity is who To grant or deny access to
they claim to be resources based on identity and
permissions
Process Collects and verifies credentials Checks permissions or access
(e.g., username, password) levels associated with the
authenticated identity
Difference between
Authentication and
Authorization
Examples - Username and password<br>- - Access Control Lists
Biometrics (fingerprints, facial (ACLs)<br>- Role-Based Access
recognition)<br>- Two-factor Control (RBAC)<br>- File or
authentication (2FA) system permissions (read,
write, delete)
Outcome Confirms the identity of the user Defines what actions or
or entity resources the authenticated
entity can access
Focus Identity verification Permission management
Example Scenario Logging into an email account Accessing different features in
with a username and password the email account based on user
roles or permissions (e.g., admin
vs. regular user)
Access Control matrix
• An access control matrix is a table that defines the permissions of
users (or subjects) over various objects (resources). It lists users in
rows and objects in columns, with each cell specifying the type of
access (e.g., read, write, execute) that the user has over the object.
Access Control matrix

User/Object File1 File2 File3 Printer1 Printer2

User1 R/W R - Execute -
User2 R R/W R/W - Execute
User3 - - R Execute Execute
Access Control Lists(ACLs)
• An access control list is associated with each object and specifies
which users (or subjects) can access the object and what operations
they can perform. Each object has its own ACL.
• File 1 ACL
User Permission
User1 Read/Write
User2 Read
Access Control Lists(ACLs)
• File 2 ACL

User Permission
User1 Read
User2 Read/ Write
Capability List(C-List)
• A capability list is associated with each user and specifies what
objects the user can access and what operations they can perform.
Each user has their own capability list.
• User 1 Capability List
Object Permission
File1 Read/Write
File2 Read
Printer1 Execute
Capability List(C-List)
• User 2 Capability List

Object Permission
File1 Read
File2 Read/Write
File3 Read/Write
Printer2 Execute
Differences Between Access Control
List (ACL) and Capability List
Aspect Access Control List (ACL) Capability List
Definition Associated with each object; Associated with each user; specifies
specifies user permissions object permissions
Structure Each object has a list of users and Each user has a list of objects and
their permissions their permissions
Management Easier to manage access for specific Easier to manage access for specific
objects users
Scalability Can become cumbersome with Can become cumbersome with
many objects many users
Modification Modify object’s ACL to change user Modify user’s capability list to
permissions change object access
Security Model Object-centric security model User-centric security model
Example File1 ACL: User1: Read/Write, User1 Capabilities: File1:
User2: Read Read/Write, File2: Read
Mandatory Access Control (MAC)
• Definition:
• Mandatory Access Control (MAC) is a type of access control model where the
system enforces policies that restrict access to resources based on predefined
rules and security labels. Unlike Discretionary Access Control (DAC), where
the resource owner decides access permissions, MAC is controlled by the
system and administrators, and users cannot change access policies.
Mandatory Access Control (MAC)
• Key Features:
1. System-Controlled:
• Access decisions are enforced by the operating system or security policy.
• Users have no discretion over who can access their resources.
2. Security Labels:
• Resources and users are assigned security labels (e.g., classifications like Top Secret,
Secret, Confidential, Unclassified).
• Access is granted based on the matching of these labels and clearance levels.
3. Policy Enforcement:
• Policies are defined centrally by security administrators.
• Policies are consistently enforced across the system, reducing the risk of accidental or
intentional policy violations.
Mandatory Access Control (MAC)
• Key Features:
4. Non-discretionary:
• Users cannot modify access control settings for their resources.
• Access rights are strictly defined by the policy and not by individual user
preferences.
5. Example Systems:
• Military and government systems often use MAC to enforce strict security
protocols.
• Systems handling highly sensitive data (e.g., classified information) also
commonly employ MAC.
Mandatory Access Control (MAC)
• Advantages:
• High Security:
• Provides robust protection against unauthorized access.
• Reduces the risk of data breaches by strictly enforcing access policies.
• Consistency:
• Ensures uniform application of security policies across the system.
• Minimizes the likelihood of inconsistent access control practices.
• Centralized Control:
• Administrators have centralized control over access policies.
• Facilitates easier enforcement of organization-wide security measures.
Mandatory Access Control (MAC)
• Disadvantages:
• Inflexibility:
• Less flexible compared to DAC; users cannot grant or revoke access as
needed.
• May be cumbersome to manage in dynamic environments where access
needs frequently change.
• Complexity:
• Can be complex to implement and manage, requiring detailed planning and
policy definitions.
• May require more administrative overhead to maintain.
Example Scenario
• Classified Information System Example:
• In a military system, documents are classified with security labels such as Top
Secret, Secret, and Confidential.
• Users are assigned clearance levels corresponding to these classifications.
• A user with a Secret clearance cannot access Top Secret documents,
regardless of their ownership or intentions.
• The system automatically enforces these restrictions, and users cannot
override them.
Discretionary Access Control
(DAC)
• Definition:
• Discretionary Access Control (DAC) is a type of access control model where
the owner of the resource (such as a file or directory) has the authority to
determine who can access the resource and what kind of access they are
allowed (read, write, execute). The owner can grant or revoke access
permissions to other users at their discretion.
Discretionary Access Control
(DAC)
• Key Features:
1. Owner Control:
• The owner (creator) of the resource has complete control over its access permissions.
• Owners can grant, modify, or revoke permissions for other users.
2. Flexibility:
• Offers flexibility to resource owners to decide on access policies based on their
discretion.
• Owners can share resources with specific users or groups.
3. User-Centric:
• Emphasizes user rights and permissions.
• Users can delegate access to others without needing administrative approval.
Discretionary Access Control
(DAC)
• Key Features:
4. Access Permissions:
• Typically include read, write, and execute permissions.
• Can be applied to files, directories, databases, and other resources.
5. Examples:
• File Systems: In many operating systems (e.g., Windows, Unix/Linux), users
can set permissions on their files and directories.
• Database Management Systems: Database owners can grant specific users
permissions to read or modify data within the database.
Discretionary Access Control
(DAC)
• Advantages:
• Ease of Use:
• Simple to understand and implement for users and administrators.
• Users can easily manage their own resources.
• Flexibility:
• Allows dynamic adjustment of permissions as needed by resource owners.
• Enables quick sharing and collaboration.
Discretionary Access Control
(DAC)
• Disadvantages:
• Security Risks:
• Higher risk of unintentional or malicious sharing of resources.
• Users may grant inappropriate access, leading to potential data breaches.
• Lack of Centralized Control:
• Difficult for administrators to enforce organization-wide security policies.
• Can result in inconsistent access control practices across the organization.
Example Scenario
• File System Example:
• Alice creates a file named "project.docx".
• As the owner, Alice can:
• Set permissions to allow Bob to read the file.
• Allow Charlie to read and write the file.
• Deny access to any other users.
Role-Based Access Control (RBAC)
• Role-Based Access Control (RBAC) is a method of regulating access to
computer or network resources based on the roles of individual users
within an enterprise.
• It simplifies management and increases security by assigning
permissions to specific roles rather than to individual users. Here is an
overview of key concepts and benefits of RBAC:
Role-Based Access Control
(RBAC)
• Key Concepts of RBAC:
1. Roles:
• Definition: A role represents a set of access permissions. Users are assigned
roles based on their job functions or responsibilities.
• Examples: Admin, Manager, Employee, Guest.
2. Permissions:
• Definition: Permissions are the approval to perform certain operations on
resources.
• Examples: Read, Write, Delete
Role-Based Access Control
(RBAC)
• Key Concepts of RBAC (continued):
1. Users:
• Definition: Users are individuals or entities that interact with the system.
• Assignment: Each user is assigned one or more roles that determine their permissions.
2. Sessions:
• Definition: Sessions represent the active state of a user interacting with the system. A session can
involve multiple roles, and a user can have multiple sessions.
• Management: Users can activate or deactivate roles within a session, depending on the needs of
their tasks.
3. Role Hierarchies:
• Definition: Role hierarchies allow roles to inherit permissions from other roles, establishing a parent-
child relationship.
• Benefit: This simplifies the management of permissions by allowing a more senior role to inherit all
permissions of junior roles.
• Example: A Manager role might inherit permissions from an Employee role.
Role-Based Access Control
(RBAC)
• Benefits of RBAC:
1. Simplified Management:
• Efficiency: Assigning permissions to roles rather than individuals reduces the
complexity of access control administration.
• Scalability: Easier to manage as the number of users grows, especially in large
organizations.
2. Enhanced Security:
• Least Privilege: Users are granted the minimum necessary permissions to
perform their job functions, reducing the risk of unauthorized access.
• Consistency: Ensures uniform application of security policies across the
organization.
Role-Based Access Control
(RBAC)
• Benefits of RBAC:
3. Compliance and Auditing:
• Regulatory Compliance: Helps organizations comply with legal and regulatory
requirements by providing clear and auditable permission structures.
• Audit Trails: Facilitates tracking and auditing of user activities based on their
roles.
4. Flexibility and Adaptability:
• Role Changes: Easily accommodates changes in job functions or
responsibilities by simply changing the roles assigned to users.
• Dynamic Access Control: Allows dynamic assignment of roles and
permissions based on evolving organizational needs.
Role-Based Access Control
(RBAC)
• Implementing RBAC:
1. Identify Roles:
• Analyze job functions within the organization to define roles.
• Group similar job functions together to create a manageable number of roles.
2. Define Permissions:
• Determine the necessary permissions for each role.
• Ensure permissions align with the principle of least privilege.
3. Assign Roles to Users:
• Map users to appropriate roles based on their job functions and
responsibilities.
Role-Based Access Control
(RBAC)
• Implementing RBAC:
4. Establish Role Hierarchies (if needed):
• Create role hierarchies to simplify management and inheritance of
permissions.
5. Implement and Monitor:
• Use access control software or systems to enforce RBAC policies.
• Regularly review and update roles and permissions to reflect changes in the
organization.
Limitations of Role-Based
Access Control (RBAC):
1. Complex Role Management:
• Role Explosion: In large organizations, the number of roles can become unwieldy, making it difficult
to manage effectively.
• Granularity: Roles may need to be very granular to cover all possible access scenarios, leading to a
large number of roles.
2. Static Nature:
• Inflexibility: RBAC is not well-suited for dynamic environments where access needs frequently
change.
• Context-Aware Limitations: It lacks the capability to make access decisions based on real-time
contextual information (e.g., time of day, location).
3. Initial Setup Complexity:
• Time-Consuming: Establishing a comprehensive RBAC system can be time-consuming and resource-
intensive, especially in organizations with diverse and complex access requirements.
• Expertise Required: Requires significant understanding and expertise to accurately define roles and
permissions.
Limitations of Role-Based
Access Control (RBAC):
4. Maintenance Overhead:
• Ongoing Updates: Regular updates and reviews are necessary to ensure that roles and permissions
remain aligned with current job functions and organizational policies.
• Role Creep: Over time, roles may accumulate unnecessary permissions, reducing the effectiveness of
the principle of least privilege.
5. User-to-Role Assignment Issues:
• Misalignment: Incorrectly assigning users to roles can lead to either excessive or insufficient access,
posing security risks or hindering productivity.
• Rigidity: Difficulty in handling scenarios where users require temporary or ad-hoc permissions outside
their usual roles.
6. Scalability Concerns:
• Large-Scale Organizations: In very large organizations, the sheer number of users and roles can strain
the system, leading to performance and management issues.
• Integration: Integrating RBAC with other systems and applications can be challenging, particularly
when dealing with legacy systems.
Access Control Matrix in RBAC

Roles/Users Resource A Resource B Resource C

Admin Read, Write, Delete Read, Write, Delete Read, Write, Delete
Manager Read, Write Read, Write Read
Employee Read Read -
Guest Read - -
Attribute-Based Access Control
(ABAC)
• Attribute-Based Access Control (ABAC) is a model for managing access
to resources based on attributes of the user, the resource, the
environment, and the action being requested.
• Attributes can include user roles, resource types, time of access, and
location, among others.
• ABAC offers a flexible and dynamic approach to access control,
allowing for fine-grained and context-aware decisions, making it
suitable for complex and changing environments.
Attribute-Based Access Control
(ABAC)
• Feature:
• Dynamic Access Control: ABAC uses various attributes (e.g., user role,
resource type, time of access, location) to make real-time access
decisions. Policies are defined based on these attributes, allowing for
flexible and context-aware access management.
Attribute-Based Access Control
(ABAC)
• Benefit:
• Granular and Flexible Access Control: ABAC allows for fine-grained
access control tailored to specific attributes and contexts, enhancing
security and adaptability. It can easily accommodate complex access
requirements and changes in organizational policies or user roles
without extensive reconfiguration.
Attribute-Based Access Control
(ABAC)
• Drawbacks:
• Complex Policy Management: Defining and managing policies based
on multiple attributes can become complex, especially in large
organizations with diverse access needs. This complexity can lead to
challenges in policy design and enforcement.
• Performance Overhead: The need to evaluate multiple attributes and
policies in real-time can introduce performance overhead, potentially
impacting system efficiency and response times.
Attribute-Based Access Control
(ABAC)
• Implementation Example:
• Healthcare System: In a healthcare system, ABAC can be used to
control access to patient records based on attributes such as the
user's role (e.g., doctor, nurse), the patient's consent level, the time of
day, and the sensitivity of the data. For example, a nurse may have
access to patient records during their shift but not outside working
hours, while doctors may access records based on their specialty and
the specific patient’s consent.
 Comparison Table: Attribute-Based Access Control
(ABAC) vs. Role-Based Access Control (RBAC)
Attribute-Based Access Control
Aspect Role-Based Access Control (RBAC)
(ABAC)

Attributes of users, resources, and

User roles and permissions
Access Control Basis environment (e.g., role, location,
assigned to those roles
time)
Coarser-grained (having a broader,
Granularity Fine-grained, context-aware less detailed level of control or
distinction)
Highly flexible, can adapt to
Flexibility Less flexible, more static
complex scenarios
Can be complex due to multiple
Policy Complexity Simpler, based on predefined roles
attributes
Scales well for dynamic
Scalability Scales well for static environments
environments
 Comparison Table: Attribute-Based Access Control
(ABAC) vs. Role-Based Access Control (RBAC)
Requires detailed attribute
Requires role definition and
Implementation management and policy
assignment
definitions
May have higher performance
Generally lower performance
Performance overhead due to attribute
overhead
evaluation
Healthcare system with access Corporate environment with
Example Use Case based on role, time, patient access based on job titles (e.g.,
consent manager, staff)
Easily adapts to changes in
Changes require role
Adaptability policies, user attributes, and
redefinition and reassignment
resource types
Higher, due to the complexity of Lower, due to simpler role-
Management Overhead
attribute-based policies based policies
Trust Framework
• A trust framework is a structured approach designed to ensure the
security, privacy, and integrity of interactions and transactions in a
digital environment.
• It typically encompasses policies, procedures, technologies, and
standards that organizations must adhere to in order to establish and
maintain trust among users, devices, systems, and networks. Below
are the key components and principles of a trust framework:
HISPS (Health Information Service Providers)
Principles of a Trust Framework
• Security by Design:
• Integrating security measures from the outset of system design and
development.
• User-Centric Approach:
• Focusing on the needs, rights, and expectations of the users, ensuring their
trust and confidence in the system.
• Continuous Improvement:
• Regularly updating and improving the framework to address emerging
threats, technological advancements, and changing regulatory requirements.
Principles of a Trust Framework
• Transparency:
• Being open about how data is handled, what security measures are in place,
and how incidents are managed.
• Collaboration:
• Working with other organizations, industry groups, and regulators to develop
and adhere to best practices and standards.