





































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Access Control
Typology: Lecture notes
1 / 45
This page cannot be seen from the preview
Don't miss anything!






































Authentication function
Authentication
Auditing
Figure 4.1 Relationship Among Access Control and Other Security Functions
System resources
Authorization database
Security administrator
User
Access control
Access control function
Access Control Policies
o Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles
o Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions
o Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do
o Controls access based on comparing security labels with security clearances
Discretionary Access Control
(DAC)
Own Read Write
Read Write
Own Read Write
Read
Read
Write Read
Own Read Write
Own Read Write
User A
SUBJECTS User B
OBJECTS
User C
File 1 File 2
(a) Access matrix
File 3 File 4
Mode
Table
control (^) wakeup seek
owner
controlowner ownerread wakeup owner
execute
write stop
owner
control
control
read *
write *
seek *
S 1
SUBJECTS S 2
OBJECTS subjects files processes disk drives
S 3
S 1 S 2
Figure 4.3 Extended Access Control Matrix
S 3 F 1 F 2 P 1 P 2 D 1 D 2
Protection Domains
protection domains
domain
rights of the user
static or dynamic
from use and certain instructions may not be executed
and protected areas of memory may be accessed
UNIX
Unique user identification number (user ID)
Member of a primary group identified by a group ID
Belongs to a specific group
12 protection bits
Specify read, write, and execute permission for the owner of the file, members of the group and all other users
The owner ID, group ID, and protection bits are part of the file’s inode
(a) Traditional UNIX approach (minimal access control list)
Owner classGroup classOther class
user: :rw- group::r-- other::---
masked
Owner classGroup classOther class
user: :rw- user:joe:rw-
Traditional UNIX
File Access Control
Figure 4.5 UNIX File Access Control
(b) Extended access control list
masked entries
Owner classGroup classOther class
user: :rw-
user:joe:rw-
group::r--
mask::rw-
other::---
Role 1
Users Roles
Figure 4.6 Users, Roles, and Resources
Resources
Role 2
Role 3