4.6.3 Access Controls
MAC, DAC, RBAC, ABAC.
Access controls are the security mechanisms and policies that determine which users, devices, or processes are authorized to interact with specific resources or perform actions within a network.
Mandatory Access Control (MAC) - Centralized authority defines access based on security clearances and data labels (e.g., Secret, Top Secret). - Security Labels are attached to every object (files, systems) and subject (users, processes). - Non-discretionary nature ensures that data owners cannot change permissions for others; only an administrator or a central policy engine can. - Trigger words: High-security environments, military-grade, lattice-based, labels, clearances.
Discretionary Access Control (DAC) - Resource ownership allows the creator or owner of a file to determine who has access and what permissions they hold. - Access Control Lists (ACLs) are frequently used to manage these permissions on a per-user or per-group basis. - Inherent risk exists because users can inadvertently grant excessive permissions or share sensitive data with unauthorized parties. - Trigger words: Owner-defined, NTFS permissions, flexibility, most common in home/small business.
Role-Based Access Control (RBAC) - Predefined roles serve as the basis for permissions rather than the identity of a specific individual user. - Job functions dictate access; for example, a "Manager" role has different rights than a "Clerk" role. - Simplified management occurs because when an employee changes departments, an administrator only needs to switch their assigned role. - Trigger words: Job functions, groups, hierarchy, organizational structure.
Attribute-Based Access Control (ABAC) - Dynamic evaluation uses a combination of several factors: subject attributes (job title), object attributes (file type), and environmental attributes (time, location). - Policy-based logic allows for complex rules, such as "Grant access to HR data only if the user is in the HR building during business hours." - Context-aware nature makes it the most flexible and sophisticated model for modern cloud and remote environments. - Trigger words: Attributes, "if/then" logic, environmental factors, multidimensional.
Rule-Based Access Control - System-enforced restrictions apply to all users regardless of their role or ownership status. - Operational parameters often include time-of-day restrictions or geographic location (geofencing). - Trigger words: Firewalls, time-of-day, location-based, proximity.
Quick recall - MAC: Strict labels and clearances; owner cannot change permissions. - DAC: Owner has full control over the resource's permissions. - RBAC: Access granted based on job title or department. - ABAC: Complex logic based on "who, what, where, and when." - HMAC: Uses a symmetric key with a hashing algorithm to provide both integrity and authenticity.