SB 14: Access Control Flashcards
What is an access control list?
A pairing of a subject and its rights, the pairing determines how a subject can access objects. Each subject and object has an associated ACL.
- object accessed by pairing (subject, right(s)).
What is a capability based access control matrix?
A set of pairs containing an object and its rights. A subject is associated with a pair. Encapsulates objects identity.
- subject accessed by pairing (object, right(s))
What is the difference between and access control list and capabilities?
ACLs are mapped over subjects whilst capabilities are mapped over objects.
Given the subject, what objects can it access and how? Capabilities can answer that question easily. Just list the elements of the subjects associated C-list.
Given an object, what subjects can access is it and how? ACL can answer it easily, just list the elements of the objects associated access control list.
What does one have to be aware of when creating and maintaining access control lists?
- Which subject can modify an objects ACL
- Does the ACL apply to privileged users?
- Does it support groups or wildcards?
- How are contradictory permissions handled?
- Does the ACL permission modify default settings or are they only in use when the subject is not explicitly mentioned in the ACL?
These are critical to the correct use of ACLs on a system.
What is an attribute based access control?
Has a complex boolean rule set that can evaluate many different attributes. A subject is assigned attributes. When a subject requests access, the ABAC can make a decision based on the assigned attributes of the requester.
It is not as closely tied to the identity of the subject and it can support multi-factor decisions.
How do you deal with the revocation of rights in capability based access control systems?
Requires that all capabilities granting access to that object be revoked.
How do you deal with the revocation of rights in an access control list?
If ownership control the giving of rights then the rights a subject has are deleted from the ACL. Else it is a more complex process.
