Access Control Models
Warning
This page is under construction. There is the possibility that the information below is false or incomplete.
Common Definitions
Comparing Permissions, Rights, and Privileges
In general, permissions refer to the access granted for an object and determine what you can do with it. If you have read permission for a file ...
A right primarily refers to the ability to take an action ...
Privileges are the combination of rights and permissions. For example, an ...
Authorization Mechanisms
A basic principle of access control is implicit deny and most authorization mechanisms use it.
An access control matrix is a table that includes subjects, objects, and assigned privileges.
Capability tables are another way to identify privileges assigned to subjects.
Content-dependent access controls restrict access to data based on the content within an object.
Context-dependent access controls require specific activity before granting users access.
This principle ensures that subjects are granted access only to what they need to know for their work tasks and job functions.
The principle of least privilege ensures that subjects are granted only the privileges they need to perform their work tasks and job functions.
System of checks and balances.
Discretionary Access Control
Info
SharePoint is an example of Discretionary Access Control (DAC).
Role-Based Access Control
Info
User groups are an example of Role-Based Access Control (RBAC). e.g. SharePoint Administrator, Administrator, user, etc.
Role-Based Access Control (RBAC) matrices, as a security architecture concept, area way of representing access control strategies visually. They help the practitioner ensure that the access control strategy aligns with the specific access control objectives. Matrices also help show when access controls may conflict with job roles and responsibilities.
When designing an RBAC matrix there are few questions to think about and objectives to achieve.
- Ensure individuals have access to necessary information for their job role
- Maintain the Fundamental Security Design Principle of least privilege
- Who should not have permission?
Access Control Matrix Examples
| Users | Job Role | Job Duties |
|---|---|---|
| Alice | Human Resources | Access and modify personnel records |
| Bob | IT Help Desk | Reset Passwords Unlock accounts |
| Craig | CEO | Makes business plans, policy, and strategy |
| Eve | Auditor | Review files, logs, and security practices |
| User | Customer Information | Employee Information | Backups | User Accounts | Intranet |
|---|---|---|---|---|---|
| Alice | None | View Modify Delete | None | None | View |
| Bob | None | None | Create | View Modify | View |
| Craig | View | None | None | None | Modify View |
| Eve | None | None | View | View | View |
Rule-Based Access Control
Info
Access Control Lists (ACLs) within firewalls are an example of Rule-Based Access Control.
Attribute Based Access Control
Info
Locking down remote access to a specific IP is an example of Attribute Based Access Control (ABAC). Usually, an if this "attribute" is true then grant access otherwise deny.
Mandatory Access Control
Info
Military classifications like, CONFIDENTIAL, SECRET, and TOP SECRET are examples of Mandatory Access Control (MAC).