Access controls Flashcards
Types of access controls:
- Discretionary access controls
A case in which the owner of a file determines all the permissions in regard to that file.
Owner has full control.
- Mandatory access controls
Owner has virtually no control over the permissions in regard to the file they own.
All policies are predefined.
Only the root/admin user can modify these policies.
Mandatory access controls are prevalent on Linux systems.
- Role based access controls
Fairly similar to mandatory access in that the permissions are outside the control of the owner, and all policies are predefined by the root/admin user.
Policies are dictated based on individual’s or groups of individuals’ needs and roles in regard to every particular file (or file group).
(network grouping ^)
Ensures heightened network security.
Those four describers Ermin told us about:
- Subject
whomever or whatever is accessing the object or enacting the operation - Operation
The action that is being taken by the subject (things like “copy”, “delete”, issuing a command of any kind, etc). - Object
The piece of data, particular process, application, etc. that the subject is interacting w/ - Reference Monitor
The reference monitor is a process put in place to ensure the proper authorization of users in regard to particular objects (those objects being sets of data, a system, a device, etc)
Reference Monitor in detail:
a system administrator puts in place a set of particular access restrictions, and because these restrictions need to exist somewhere as data, you have an ‘authorization database’.
This authorization database contains user authentication credentials, the permissions of individual users and user groups, etc.
In order for a user to access the data held w/in a network, they first must prove that they have the authorization to do so (i.e. they have to sign in).
They do this by completing an authentication process in which they input their credentials to be automatically cross-examined w/ the credentials within the authorization database.
(important note: when the user attempts to sign in, an authentication function is enacted in order to ensure that the data received is exactly as it was sent)
If their username and password (or other form of user identification) matches a username and password stored on the authorization database, then they are allowed access.
(another important note: user credentials are checked via an ‘access control function’).
Once the user has access to the system/network/device, they may still be restricted from accessing 100% of the data held w/in that system/network/device.
When a user requests access to a piece of data, or process, or application, the authorization database will check whether or not they have the necessary permissions to access that particular ‘object’.