Access Control Models – CompTIA Security+ SY0-501 – 4.3

There are many different way to assign user rights and permissions to files, folders, and other objects. In this video, you’ll learn about some of the most popular access control models.

<< Previous Video: Federated Identities Next: Access Control Technologies >>

The access that a user has to a particular resource starts with authorization. This is the process of ensuring that only authorized rights are exercised by a user. That’s the policy enforcement. And then there needs to be some method of determining what those rights are. That’s the policy definition.

In most environments, there needs to be some type of rights that a user will obtain using an access control model. And different organizations have different access control models, depending on what their overall goals are for this access control.

One type of access control is the Mandatory Access Control, or MAC. This means that the operating system is going to provide the limits on how much access someone will have to a particular object. And these are usually based on certain clearance levels. Every object that someone may need to access needs to be assigned a label. It’s either confidential, or secret, or top secret, or some other type of label.

The users then are provided with certain rights. Certain users can access confidential objects. Other users may be able to access top secret objects. And it’s the administrator that determines what specific access role a particular user has. The users can generally not change any of these access roles under a mandatory access control model.

Discretionary access control, or DAC, is an access control model that most people will probably be familiar with because it’s used in most operating systems that we use today. For example, if you create a spreadsheet, you as the owner get to determine who else in your environment has access and what type of access they have to that spreadsheet. And you as the owner of that spreadsheet can modify that access at any time.

This makes for a very flexible access control model because you, as the owner of that file, can determine exactly who has the type of access. And you can make these changes whenever you’d like. But it’s also a very weak form of access control security because it relies on the owner of the file to be setting the proper security for that particular object.

Role-based access control, or RBAC, is a much broader form of control that’s based on your particular role in the organization. You might be a director or a team lead or a manager, and the type of access you have to an object is going to depend on that role.

With role-based access control, the administrator determines what type of access a user has. But this is also an implicit type of right. For example, if the administer provides access to the managers, and the directors happened to be in the manager group, then the directors will also gain those rights.

You’ll commonly see role-based access control used in operating systems such as Windows by using Windows Groups. For example, if you’re in shipping and receiving, then you as part of that shipping and receiving group can use the shipping software. If you’re a manager in the shipping and receiving department, you can not only use the shipping software, but you may also be able to review the shipping logs.

Attribute-based access control, or ABAC, allows us to create very complex relationships between the applications we’re using and the data that is used by those applications. You can use many different types of criteria to determine exactly what type of access a person might have.

You’ll often see ABAC referred to as the next generation of authorization because of all the complex context that’s associated with this authorization model. For example, ABAC authorization may consider your IP address, the time of day, your geographical location, and many other criteria to determine exactly what type of access you have.

Rule-based access control is a very broad term that describes how a set of rules will be followed to determine what type of access someone will gain. A set of rules are created by a system administrator. And then those rules are examined to determine exactly what type of access a user might have.

We often see rule-based access control used in firewalls. You may be able to set up rules that allow what type of access someone might have to a particular network, during a particular time of the day. Or you may set up an access control rule that looks through a series of rules that says that only Chrome-based browsers may be able to access or fill out a particular web form.

Most operating systems provide a level of security at the file system. That means as you store files on a hard drive, an SSD, a flash drive, or other types of media, the operating system itself can assign security to each one of those individual files.

Most operating systems will keep an access control list. There may be a list of groups or users that are assigned rights and permissions to particular files. And all of this can be centrally administered or each individual file could be managed by the file owner. Many file systems can also include the ability to encrypt and decrypt the data, adding an additional layer of security in the file system itself.

If your organization has a database server, then the databases themselves have their own type of access control, usually based around usernames, passwords, and a set of permissions for that database. Most database applications also include the ability to encrypt data. You can either encrypt the entire database or individual fields within the database itself.

Many databases also include an option for data integrity. This prevents any data from being lost due to a problem with the server or the underlying hardware architecture.

And the last line of defense for database security is a well-written application. A well-written application will prevent SQL injection attacks and other types of attacks to the data itself.