Access Control

Access control can be a policy, a software, or a hardware device which is used to allow or deny
access to a resource. Access control can be by using devices like biometric device, switches,
routers, Remote Access Service (RAS), virtual private networks (VPNs), etc. Access control can
also be implemented on File System level like Microsoft's New Technology File System
(NTFS), GNU/Linux's ext2/ext3/ext4 etc. The following are the three main concepts of Access
Control.

• Discretionary access control (DAC)

• Mandatory access control (MAC)

• Role-based access control (RBAC)

Discretionary Access Control (DAC)

 

Discretionary Access Control (DAC) allows authorized users to change the access control
attributes of objects, thereby specifying whether other users have access to the object. A simple
form of Discretionary Access Control (DAC) might be file passwords, where access to a file
requires the knowledge of a password created by the file owner. In Linux, the file permission is
the general form of Discretionary Access Control (DAC).

Discretionary Access Control (DAC) is the setting of permissions on files, folders, and shared
resources. The owner of the object (normally the user who created the object) in most operating
system (OS) environments applies discretionary access controls. This ownership may be
transferred or controlled by root/administrator accounts. Discretionary Access Control (DAC) is
controlled by the owner or root/administrator of the Operating System, rather than being hard
coded into the system.

The Discretionary Access Control (DAC) mechanisms have a basic weakness, and that is they
fail to recognize a fundamental difference between human users and computer programs.

Mandatory Access Control (MAC)

 

Mandatory Access Control (MAC) is another type of access control which is hard-coded into
Operating System, normally at kernel level. Mandatory Access Control (MAC) can be applied to
any object or a running process within an operating system, and Mandatory Access Control
(MAC) allows a high level of control over the objects and processes. Mandatory Access Control
(MAC) can be applied to each object, and can control access by processes, applications, and
 users to the object. Mandatory Access Control (MAC) cannot be modified by the owner of the
object.

Mandatory Access Control (MAC) mechanism constrains the ability of a subject (users or
processes) to access or perform some sort of operation on an object (files, directories, TCP/UDP
ports etc). Subjects and objects each have a set of security attributes. Whenever a subject
attempts to access an object, an authorization rule enforced by the operating system kernel
examines these security attributes and decides whether the access can take place.

Under Mandatory Access Control (MAC), the super user (root) controls all interactions of
software on the system.

Role-based Access Control (RBAC)

 

Role-based Access Control (RBAC) is another method of controlling user access to file system
objects. In Role-based Access Control (RBAC), the system administrator establishes Roles based
on functional requirements or similar criteria. These Roles have different types and levels of
access to objects. The easy way to describe Role-based Access Control (RBAC) is user group
concept in Windows and GNU/Linux Operating Systems. A role definition should be defined
and created for each job in an organization, and access controls are based on that role.

In contrast to DAC or MAC systems, where users have access to objects based on their own and
the object's permissions, users in an Role-based Access Control (RBAC) system must be
members of the appropriate group, or Role, before they can interact with files, directories,
devices, etc.