Lecture 9 Flashcards
What is Access Control?
A security technique that regulates who or what can view or use resources in a computing environment.
What is a Reference Monitor?
A system component that establishes the validity of access requests and grants or denies access accordingly. Like a security guard.
Simple analogy for Access Control: Filing Cabinets
Documents are locked in filing cabinets, keys are given to authorized individuals.
Simple analogy for Access Control: Night Club
A bouncer with a guest list allows only authorized individuals to enter.
What are Subjects, Objects, and Access Rights?
- Subjects: Active entities like users, programs, or processes that request access to resources.
- Objects: Passive entities like files, databases, or devices that are being accessed.
- Access Rights: The types of permitted actions subjects can perform on objects — like read, write, execute, or delete.
What is an Inode in UNIX?
A file-based data structure that holds metadata about files.
UNIX File Permissions: rwx
r=read(4), w=write(2), x=execute(1).
How to change file owner in UNIX?
Use the command: sudo chown new_owner filename.
How to change permissions in UNIX?
Use the command: sudo chmod permission_value filename.
What is Discretionary Access Control (DAC)?
Access based on user identity; users can transfer their privileges to others.
What is an Access Control Matrix (ACM)?
Matrix describing rights of subjects over objects.
Disadvantage of ACM?
It is sparse and hard to manage with many users and files.
What is an Access Control List (ACL)?
A list focusing on objects, specifying which users have which access rights.
Simple analogy - A guest list per party (file) — who’s invited and what they’re allowed to do.
What is a Capability List?
A list focusing on subjects, detailing their access rights to various objects.
ACL vs Capability List analogy
ACL: Guest list at a club; Capability List: Set of keys for filing cabinets.
What is Role-Based Access Control (RBAC)?
Role-Based Access Control (RBAC) is an access control model where permissions are assigned to roles — and users are assigned to roles — instead of assigning permissions directly to users.
Key idea :
Access is based on a user’s role within the organization (like “Manager”, “Student”, “Accountant”), not their individual identity.
How it works:
* Define roles (e.g., Admin, Editor, Viewer).
* Assign specific permissions to each role (e.g., Admin can edit and delete, Viewer can only read).
* Assign users to roles based on their job function.
Benefits of RBAC?
Simplifies administration and expresses complex policies easily.
What is Attribute-Based Access Control (ABAC)?
Attribute-Based Access Control (ABAC) is an access control model where access decisions are based on attributes of the user (subject), the resource (object), and the environment — not just roles or identities.
🔹 Key idea:
Access is granted if rules based on attributes are satisfied.
Example : Allow access if the user’s department is ‘HR’ AND they are using a company device AND it’s during business hours
Applications of ABAC?
Used for API security, application security, database security, and more.
What is Rule-Based Access Control (RuBAC)?
Rule-Based Access Control (RuBAC) is a model where access is determined by a set of predefined rules, not by user identity or attributes directly.
🔹 Key idea:
- If a request matches the rule, access is granted.
- If not, access is denied, even if the user has a high level of clearance.
A firewall rule:
“Allow traffic from IP addresses within the 192.168.x.x range.”
Database rule:
“Only allow read access to employees between 8 AM and 6 PM.”
What is Mandatory Access Control (MAC)?
Mandatory Access Control (MAC) is a security model that restricts access to resources based on the classification or sensitivity of the information and the user’s clearance level
In MAC, access decisions are made according to predefined policies that assign attributes to both users and resources. These policies are typically based on:
* Security labels: Objects (like files, processes, or data) are labeled with security attributes, such as clearance levels (e.g., top-secret, confidential, public).
* Access control policies: The system defines rules on how these labels interact, specifying who can access what resources based on the user’s clearance and the resource’s classification.
What is Vertical Access Control?
Restricts access to sensitive functions based on user type (e.g., no admin rights for regular users).
What is Horizontal Access Control?
Restricts resource access to specific users.
What is Context-Dependent Access Control?
Restricts actions based on application or user state (e.g., can’t modify order after payment).
