Chapter 4 - Access Control

Question 1

What is Access Control?

Answer 1

Prevention of unauthorized use of a resource

Question 2

What are the 3 basic elements of access control?

Answer 2

1. Subject: Entity accessing an object (user)
2. Object: Resource being accessed (file, DB)
3. Access Right: The way a subject can access an object (read, write, execute)

Question 3

What are the three main Access Control Policies?

Answer 3

1. Discretionary Access Control (DAC): Owners control access to their resources
2. Mandatory Access Control (MAC): Access is based on security classifications (Top Secret)
3. Role-based Access Control (RBAC): Access is granted based on user’s role.

Question 4

What is an Access Matrix in DAC?

Answer 4

A grid where

Columns represent objects
Rows represent subjects
Each cells defines the access rights of the subject to an object

Question 5

What are Access Control Lists (ACLs)

Answer 5

List of subjects that an object can be accessed by

Question 6

What are capability lists?

Answer 6

List of objects that a subject can access

Question 7

What is an inode in Unix

Answer 7

A control structure containing file attributes, permissions and other metadata

Question 8

What are the 12 protection bits in Unix files

Answer 8

9 bits: Read, write, execute, permissions for owner, group and others

3 special bits:
Set UserID
Set GroupID
Sticky Bit (restricts file deletion to file owner)

Question 9

Role of superuser (root) in Unix

Answer 9

Exempt from usual access restrictions

Has system-wide access

Can install software and manage users

Question 10

What is an Access Control List (ACL) in Unix

Answer 10

a modern feature allowing fine-grained permissions by assigning access to multiple users or groups for a file

Question 11

What is Mandatory Access Control (MAC)?

Answer 11

Access is determined by system-enforced security labels and classifications, often used in military settings

Question 12

What are Security Labels in MAC?

Answer 12

Labels indicating the sensitivity level of resources

Question 13

What is a “Need-to-Know” Principle in MAC?

Answer 13

Access is limited to users who require it for their duties, even if they have the proper security clearance

Question 14

How does MAC enforce classifications?

Answer 14

Classification: Sensitivity of the object
Clearance: User authorization level of subject
Dominance Rule: Access is allowed if the subject’s clearance dominates the object’s classification

Question 15

Role-Based Access Control (RBAC)

Answer 15

Access is granted based on roels assigned to users, rather than individual identities

Question 16

What are the four entities in RBAC?

Answer 16

1. User
2. Role
3. Permission
4. Session

Question 17

What are constraints in RBAC

Answer 17

1. Mutually Exclusive Roles (only user can assume one role from a set)
2. Cardinality: Limits on the number of users per role
3. Prerequisite Roles: Users must have a specific role before assuming another

Question 18

What is RBAC1?

Answer 18

It adds role hierarchies to the basic RBAC model, where roles inherit permissions from subordinate roles.

Question 19

What is RBAC2?

Answer 19

Adds constraints, such as mutually exclusiv eroles, to refine access control policies.