Authorization Flashcards
process of giving someone permission to do or have something
Authorization
Mediating access to resources based on identity and is generally policy-driven. Another term for Authorization.
Access Control
Encourages system designers and implementers to allow running code only the permissions needed to complete the required tasks and no more.
Principle of Least Privilege
A common mistake is to perform an authorization check by cutting and pasting an authorization code snippet into every page containing sensitive information.
Centralized Authorization Routines
Some applications check to see if a user can undertake a particular action, but then do not check if access to all resources required to complete the requested action is allowed.
Controlling Access to Protected Resources
Ability to connect to a system or service
Network access
Access to operating system functionality
Host Access
Locations that are housing information assets
Physical Access
Operations evaluated as having an elevated risk. Examples: Financial transactions, changes to system configuration, or security administration
Restricted Functions
Based on the identity and need-to-know of subjects and/or the groups to which they belong. A subject with certain access permissions is capable of passing on that access, directly or indirectly, to other subjects.
Discretionary access control
Based on the sensitivity of the information contained in the objects / resources and a formal authorization. They restrain subjects from setting security attributes on an object and from passing on their access.
Mandatory access control
A newer paradigm based on properties of an information exchange that may include identified attributes of the requesting entity, the resource requested, or the context of the exchange or the requested action.
Attribute-based access control
Based on the roles played by users and groups in organizational functions.
Role-based access controls
