1. Discretionary Access Control
- Controls access based on the identity of the requestor and access rules stating what
therequestors are allowed to do. - An entity might have access rights that permit the entity to enable another entity to access some resoureces.
2. Mandatory Access Control
- Controls access based on comparing
thesecurity labels with security clearances. - The entity that has access right to access a resource may not enable another entity to access that resource.
3. Role Based Access Control
- Controls access based on the roles that users have within the system and rules stating what accesses are allowed to users in given roles.
4. Attribute Based Access Control
- Controls access based on the attributes of the user, the resource to be access and the current environmental conditions.
Implemantation of DAC
There are two ways to implement the DAC : Access Control List and Capability Ticket
Access Control Lists
- Decomposing matrix by columns yields ACLs
- ACLs are convinient when it is desired to determine which subjects have which access rights to a paricular resource
Capability Tickets
- Decomposing matrix by rows yields CTs
- Good for determining the set of access rights that a given user has for all resources.
UNIX File Access Control
- owner class / user:rw-
- group class / group:r--
- other class / other:---
DAC vs RBAC
-
Since subjects can have multiple roles, RBAC is more flexible and more powerful than DAC.
-
DAC's Access Control Matrix : ROW - Subjects, Column - Objects (set of rules)
-
RBAC's Access Controle Matrix : 1. ROW - Subjects, Column - Roles (check) / 2. ROW - Roles, Column - Objects (set of rules)
성장 가능성 만땅 개발블로그