Chapter 4

Access Control
4.1 - Access Control Principles
• In a broad sense, all of computer security is concerned with access
control

• RFC 4949 defines computer security as:

“measures that implement and assure security services in a computer

system, particularly those that assure access control service”
 Access Control Definitions 1/2

NISTIR 7298 defines access control as:

“the process of granting or denying specific requests to:

(1) obtain and use information and related information processing
services; and
(2) enter specific physical facilities”
Access Control Definitions 2/2

RFC 4949 defines access control as:

“a process by which use of system resources is regulated according

to a security policy and is permitted only by authorized entities
(users, programs, processes, or other systems) according to that
policy”
 Source: Based on [SAND94].

Source: Based on [SAND94].

 System intervention

Subjects Access control mechanisms Objects

read F (Si, read, F) File

Si Files
system

Memory
Segments
addressing
& pages
hardware

wakeup P (Sj, wakeup, P) Process

Sj Processes
manager

Terminal
& device Terminal
manager & devices

Instruction
decoding Instructions
hardware
grant a to Sn, X (Sk, grant, a, Sn, X)
Sk
delete b from Sp, Y (Sm, delete, b, Sp, Y) Access
Sm matrix
monitor

Access
write matrix read

Figure 4.4 An Organization of the Access Control Function

Subjects, Objects, and Access Rights

Subject Object Access right

Describes the way in

An entity capable of A resource to which
which a subject may
accessing objects access is controlled
access an object

Three classes Could include:

Entity used to contain •Read
• Owner
and/or receive •Write
• Group information •Execute
•Delete
• World •Create
•Search
Access Control Policies
An access control policy dictates what types of access
are permitted, under what circumstances, and by
whom. Access control policies are generally grouped
into the following categories:

Discretionary access Mandatory access Role-based access Attribute-based access

control control control control
(DAC) (MAC) (RBAC) (ABAC)

Access control based on Access control based Access control based

the identity of the on comparing security on user roles (that is, a Access control based
requestor and on labels (which indicate collection of access on attributes
access rules how sensitive or critical authorizations a user associated with and
(authorizations) stating system resources are) receives based on an about subjects, objects,
what requestors are (or with security explicit or implicit targets, initiators,
are not) allowed to do clearances (which assumption of a given resources, or the
indicate system entities role) environment
are eligible to access
The controls are certain resources)
discretionary in the
sense that a subject Role permissions can
with a certain access be inherited through a
role hierarchy and An access control rule
permission is capable This policy is termed set defines the
of passing that mandatory because an typically reflect the
permissions needed to combination of
permission (perhaps entity that has attributes under which
indirectly) on to any clearance to access a perform defined
functions within an an access takes place
other subject resource may not, just
by its own volition, organization
enable another entity
to access that resource
A given role can apply to a
single individual or to
several individuals
 4.2 - Discretionary Access Control (DAC)
• DAC enable the owner of a resource to specify which user can access
specific resources. It’s based on the discretion of the owner.
• Often provided using an access matrix
• One dimension consists of identified subjects that may attempt data access to the
resources
• The other dimension lists the objects that may be accessed
• Each entry in the matrix indicates
the access rights of a particular
subject for a particular object
 OBJECTS
File 1 File 2 File 3 File 4
Own Own
User A Read Read
Write Write
Own
SUBJECTS User B Read Read Write Read
Write

Read Own
User C Read Read
Write Write
(a) Access matrix

File 1 A B C User A File 1 File 3

 (a) Access matrix

File 1 A B C User A File 1 File 3

Own R Own Own
R R W R R
W W W
• • •

File 2 B C User B File 1 File 2 File 3 File 4

Own Own
R R R R W R
W W
• • • •

File 3 A B User C File 1 File 2 File 4

Own R Own
R W W R R
W W
• • •

File 4 B C
Own (c) Capability lists for files of part (a)
R R
W
•

(b) Access control lists for files of part (a)

Figure 4.2 Example of Access Control Structures

Subject Access Object
Mode
A
A
Own
Read
File 1
File 1
Table 4.1
A Write File 1
A Own File 3
Authorization
A Read File 3
A Write File 3 Table
B Read File 1 for Files in Figure
B Own File 2
B Read File 2
4.2
B Write File 2
B Write File 3
B Read File 4
C Read File 1
C Write File 1
C Read File 2
C Own File 4
C Read File 4
C Write File 4
 UNIX File Access Control
⚫ Unique user identification
number (user ID)

ss
as

s
as
a
cl

cl

cl
r

er
ne
⚫ Member of a primary group

u
ro

th
w
O

O
identified by a group ID rw- r-- ---
⚫ Belongs to a specific group user: :rw-
group::r--
⚫ 12 protection bits other::---
⚫ Specify read, write, and execute
(a) Traditional UNIX approach (minimal access control list)
permission for the owner of the
file, members of the group and
all other users

s
as

s
as

as
cl

cl

cl
⚫ The owner ID, group ID, and

er
ne

u
ro

th
w
protection bits are part of the file’s

O
inode rw- rw- ---
user: :rw-
masked user:joe:rw-
Traditional UNIX File Access Control
⚫ “Set user ID”(SetUID)
⚫ “Set group ID”(SetGID)
⚫ System temporarily uses rights of the file owner/group in addition to the real user’s rights
when making access control decisions
⚫ Enables privileged programs to access files/resources not generally accessible
⚫ Sticky bit
⚫ When applied to a directory it specifies that only the owner of any file in the directory can
rename, move, or delete that file
⚫ Superuser
⚫ Is exempt from usual access control restrictions
⚫ Has system-wide access
4.3 - Mandatory Access Control (MAC)

• Access decisions are based on security clearance of subjects and

classification of objects.
• Each subject has a profile, which includes clearance.
• Each object has a security label which contains the classifications.
• Used in systems where security is critical, such as in the military.
 Mandatory Access Control (MAC)

• Each object is given a sensitivity label, and is accessible only to

users who are cleared up to that particular level.
• Common classification: highly sensitive, sensitive, confidential,
non-classified.
 4.4 - Role-based Access Control (RBAC)

• RABAC is based on the roles that users assume in a system

• RBAC typically defines a role as a job function within an organization
• RBAC assigns access rights to roles instead of individual users. Users are assigned
to different roles, either statically or dynamically, according to their responsibilities
Users Roles Resources

Role 1

Role 2

Role 3

Figure 4.6 Users, Roles, and Resources

 R1 R2 Rn

U1

U2

U3

U4

U5

U6

Um

OBJECTS
R1 R2 Rn F1 F1 P1 P2 D1 D2

control owner owner read * read

R1 wakeup wakeup seek owner
control owner

R2 control write * execute owner seek *

ROLES

Rn control write stop

Figure 4.7 Access Control Matrix Representation of RBAC

Example
 RBAC3
Consolidated model

RBAC1 RBAC2
Role hierarchies Constraints

RBAC RBAC0
Base model

Models (a) Relationship among RBAC models

(RH) Role
Hierarchy Oper-
ations

(UA) User (PA) Permission

Assignment Assignment
Users Roles
Permissions

user_sessions session_roles

Objects

Sessions

(b) RBAC models

Figure 4.8 A Family of Role-Based Access Control Models.

Scope RBAC Models
Example of Role Hierarchy

Director

Project Lead 1 Project Lead 2

Production Quality Production Quality

Engineer 1 Engineer 1 Engineer 2 Engineer 2

Engineer 1 Engineer 2

Engineering Dept

Figure 4.9 Example of Role Hierarchy

 Constraints - RBAC
• Provide a means of adapting RBAC to the specifics of administrative
and security policies of an organization
• A defined relationship among roles or a condition related to roles
• Types:

Mutually exclusive
Cardinality Prerequisite roles
roles
• A user can only be • Setting a maximum • Dictates that a user
assigned to one role in number with respect can only be assigned
the set (either during a to roles to a particular role if it
session or statically) is already assigned to
• Any permission (access some other specified
right) can be granted role
to only one role in the
set
Case Study: RBAC System for a Bank
 Table 4.4
Functions and Roles for Banking Example
Human Resources Department Application Administration

Roles
User
IDs Functions
1 1-4 N M Access
Application
Right
Assigns
Positions

Authorization Administration

N M
Role Application

Figure 4.14 Example of Access Control Administration

4.5 - Attribute-Based Access Control (ABAC)

Main obstacle to
its adoption in Web services
real systems has have been
Can define
been concern pioneering
authorizations There is
about the technologies
that express Strength is its considerable
performance through the
conditions on flexibility and interest in
impact of introduction of
properties of expressive applying the
evaluating the eXtensible
both the power model to cloud
predicates on Access Control
resource and the services
both resource Markup
subject
and user Language
properties for (XAMCL)
each access
 Attribute-Based Access Control (ABAC)

• Distinguishable because it controls access to objects by evaluating

rules against the attributes of entities, operations, and the
environment relevant to a request
• Relies upon the evaluation of attributes of the subject, attributes of
the object, and a formal relationship or access control rule defining
the allowable operations for subject-object attribute combinations in
a given environment
• Systems are capable of enforcing DAC, RBAC, and MAC concepts
• Allows an unlimited number of attributes to be combined to satisfy
any access control rule
ABAC Model: Attributes

Object Subject Environment

Attributes Attributes Attributes
• An object (or resource) • A subject is an active • Describe the
is a passive information entity that causes operational, technical,
system-related entity information to flow and even situational
containing or receiving among objects or environment or context
information changes the system in which the
state information access
• Objects have attributes occurs
that can be leverages • Attributes define the • These attributes have
to make access control identity and so far been largely
decisions characteristics of the ignored in most access
subject control policies
ABAC Attributes Examples
 Access Control
Policy
Environmental
Conditions

ABAC 2a
2d

Scenario Rules

1
Enforce
Decision
3
Object
Access Control
2b Mechanism
Subject
2c

Clearance
Name Owner
Type
Affiliation
Etc. Classification
Etc.

Subject Attributes
ObjectAttributes

Figure 4.10 Simple ABAC Scenario

Summary
• Access control principles • Attribute-based
• Access control context access control
• Access control policies • Attributes
• Subjects, objects, and • ABAC logical architecture
access rights • ABAC policies

• Discretionary access • Identity, credential,

control and access
• Access control model management
• Protection domains • Identity management
• Credential management
• UNIX file access control • Access management
• Traditional UNIX file access • Identity federation
control
• Access control lists in UNIX • Trust frameworks
• Traditional identity exchange
• Role-based access control approach
• RBAC reference models • Open identity trust framework
• Bank RBAC system