Access Control Models and Mechanisms

Access Control Matrix

Access Control Models

• Discretionary Access Control
• Mandatory Access Control
• Role-based Access Control

1
Access Control: grants or revokes the right to access some data, or perform
some action.

• First authentication and then access control

• Relies on and coexists with other security services
Reference monitor: mediates every attempted access by a user to objects in the
system.
Authorizations database: The administrator sets authorizations on the basis of the
security policy of the organization.
Auditing: monitors and keeps a record of relevant activity in the system.

2
Access control must be coupled with authentication.
• Assumes authentication of the user has been successfully verified prior to
enforcement of access control.

Access control must be coupled with auditing.

Audit controls concern an analysis of all the requests and activities of users in
the system.
• The logging of all user requests and activities for later analysis
• Analyze the user’s behavior in using the system to find out possible
attempted or actual violations.
• Determine possible flaws in the security system.
• Essential to ensure that authorized users do not misuse their privileges.

3
Access Control Matrix

Object: resources can be represented by data stored in objects (e.g., files).

Subjects: Users or programs executing on behalf of users.
Permission: (depends upon the object in question.)
• Files: Read, Write, Execute and Own.
• Bank account: Inquiry, Credit and Debit.

In a large system the access matrix will be enormous in size, and most of its
cells are likely empty.

4
Access Control Models
• Discretionary access control model
• Mandatory access control model
• Role-based access control model.

Discretionary Access Control Model

Govern the access of users to the information on the basis of the user's identity
and rules that specify, for each user (or group of users) and each object in the
system, the access modes (e.g., read, write, or execute) the user is allowed on the
object.
• Access Control List
• Capability list

5
Access Control Lists (ACLs)

Each object is associated with an ACL, this approach corresponds to storing the matrix
by columns.

• Convenient access review with respect to an object. Easy to revoke all access to an
object by replacing the existing ACL with an empty one.
• Determine all the accesses that a subject has is difficult.
• If all accesses of a subject need to be revoked all ACLs must be visited one by one.

6
Capability list
Each subject is associated with a list, indicating for each object in the system. This
approach corresponds to storing the access matrix by rows.

• Easy to review all accesses that a subject is authorized to perform.

• Determine all subjects who can access a particular object requires examination of
every subject's capability list.

7
Access Control List and Capability list
• The flexibility of discretionary policies makes them suitable for a variety of systems
and applications.

Problem:
• Do not provide real assurance on the flow of information in a system. It is easy to
bypass the access restrictions stated through the authorizations.

8
Mandatory Access Control Model

Govern access on the basis of classification of subjects and objects in the system.
⚫ Each user and each object in the system is assigned a security level.
⚫ The security level associated with an object reflects the sensitivity of the information
contained in the object.

In the military and civilian government areas, the security levels consists of Top Secret
(TS), Secret (S), Confidential (C), and Unclassified (U), where TS > S > C > U.

Mandatory Access Control Principles

λ signifies the security label of the indicated users λ(s) and objects λ(o).

• Simple-Security Property: User s can read object o only if

λ(s) >= λ(o)

• *- property: User s can write object o only if

λ(s) <= λ(o)

Top Secret (TS), Secret (S), Confidential (C), and Unclassified (U), TS > S > C > U.

9
Due to integrity concern, many systems for mandatory access control do not allow write
up; but limit writing to the same level as the subject.

10
How after MAC is applied?

Bob (S) John (U) ?

(C) ?
R W R (S) ?

Object1 Object2
(C) (S)

11
Access Control List

• When removing a user from an organization, the security manager must

examine each access control list.
• When users enter, leave, or change responsibilities within an organization,
updating the privileges of each user is time consuming.
How do we manage 1000 employees, make sure privilege assignments are not
causing security problems?

12
Role Based Access Control (RBAC)
• Access decisions are based on the roles that individual users have. Users
take on assigned roles (such as doctor, nurse, teller, manager).
• The process of defining roles should be determined by their responsibilities
and qualifications.
Example: the role of doctor can include privileges to perform diagnosis,
prescribe medication, and order laboratory tests.

13
RBAC Models

14
Base model -RBAC0
⚫ Users
⚫ Roles
⚫ Sessions: Users establish sessions during which they may activate a subset
of the roles they belong to. Each session maps one user to possible many
roles. The privilege available to the user are the union of privileges from all
roles activated in that session.
⚫ User assignment (UA) relationships.Permission assignment (PA) relations.

15
RBAC1
Role hierarchy:
⚫ A natural way of organizing roles to reflect authority, responsibility, and
competency.
⚫ A role hierarchy defines roles that have unique attributes and that may
contain other roles.
⚫ One role may implicitly include the operations that are associated with
another role.
⚫ Match the natural structure of an enterprise.

16
17
RBAC2
RBAC assigns constraints to relationship between or among roles.
(1) Mutually exclusive roles: The same user can be assigned to at most one
role in a mutually exclusive set.
Example: purchase manager and accountant payable manager

(2) Cardinality: maximum number of members in a role.

(3) Prerequisite roles: A user can be assigned role B only if the user is already
a member of role A.

User assignment constraint: a user can have maximum roles.

18
RBAC3

RBAC3 provides both role hierarchies and constraints.

19
Role-based policy

The use of roles to control access can be an effective means for developing and
enforcing enterprise-specific security policies.
Example: A teller and an accounting supervisor in a bank.
• Teller: read/write access to records.
• Supervisor: perform correction (also need read/write access).
Rules #1: Supervisor cannot initiate deposits or withdrawals, but can only
perform corrections after the fact.
Rule #2: Teller can only initiate deposits or withdrawals, but cannot
perform corrections once the transaction has been completed.

20
Supporting three well-known security principles
Least privilege:
▪ A user can be given no more privilege than is necessary to perform the job.
This concept of least privilege requires identifying the user's job functions,
determining the minimum set of privileges required to perform that function,
and restricting the user to a domain with those privileges and nothing more.

Separation of duties: mutually exclusive

Static separation of duty: two mutual exclusive roles (or permissions) must never be
assigned to the same user simultaneously.
Dynamic separation of duty: two mutual exclusive roles (or permissions) must never be
activated by the same user simultaneously.

Data abstraction:
▪ Permission can be defined at a higher level, rather than on read/write/
execute.
Example: permissions can be defined on credit, debit for an account object.

21
Advantages of RBAC
Simplified systems administration: The costs associated with administering
the network are less than those associated with ACL.
⚫ The greater the number of people changing roles, the greater the cost savings
of RBAC relative to other access control systems;

Some organizations are very dynamic and user roles and privileges change
quickly. In these changing environments, RBAC is more efficient in moving
users in and out of given roles and changing the privileges of given roles than
competing access control systems.

Enhanced systems security and integrity Privileges are not assigned manually,
it is less likely that the security administrator makes an error or inadvertently
grants a user access to information or applications he/she would be prohibited.

22
RBAC in Commercial Database Management Systems

23