DEPARTMENT OF

COMPUTER SCIENCE & ENGINEERING

OPERATING SYSTEMS LABORATORY

(22PC0CS11)

LAB PROJECT

TOPIC : ACCESS CONTROL SYSTEM

SUBMITTED BY:
V PRASHANTH
23WJ1A05N5
CSE-4

SUBMITTED TO:
Ms . A . VISHALAKSHI
INTRODUCTION

The operating system is an integral part of computer systems. Existing in

various versions and interface types, it allows users to interact with hardware
and software resources effectively, performing essential functions such as
managing memory, controlling input and output devices, scheduling tasks,
and providing a platform for running applications.

With the increasing reliance on digital systems for storing sensitive

information and conducting transactions, it is critical to ensure this integral
part remains secured to ensure the confidentiality, integrity, and availability
of data and resources.

SIGNIFICANCE OF ACCESS CONTROL

The goal of access control is to regulate access and permissions in an

operating system. Effective access control prevents unauthorized access, data
breaches, and malicious activities, ensuring the security, integrity, and privacy
of data and resources.

User authentication, authorization, file system security, access control lists

(ACLs), and device control are some of the scopes of access control in
operating systems.

OBJECTIVE :

The objective of operating system access control is to manage and restrict

access to system resources, ensuring that only authorized users and
processes can perform permitted actions. This helps maintain data
confidentiality, integrity, and overall system security by enforcing defined
permission policies.
TYPES OF ACCESS CONTROL
To regulate access to resources in operating systems, there are several types of
access control, each depending on the creator or administrator of files and
resources within the operating system.
They are:
1.Discretionary Access Control (DAC)
2.Mandatory Access Control (MAC)
3.Role-Based Access Control (RBAC)
4. Attribute-Based Access Control (ABAC)

1.Discretionary Access Control (DAC)

According to Katlyn Gallo (Built In), Discretionary Access Control (DAC) is a
method that allows users to control access permissions to their own resources.
The owners of files or data can decide who can access them and what level of
access they have (read, write, execute).
DAC is a user-enforced access control model, typically implemented using
Access Control Lists (ACLs). These lists define which users or groups can perform
specific actions on a resource.
How DAC Works:
1. A user creates a resource (e.g., file or folder) and becomes its owner.
2. The owner sets permissions using an ACL, specifying which users or groups
can access the resource and at what level.
3. When another user requests access, the DAC system checks their identity
against the ACL.
4. If the user matches an entry in the ACL, access is granted based on the
defined permissions.
5. If there is no match, access is denied.

Example:
In Windows and Linux systems, when a user creates a file, they can define
whether others can read, write, or execute it—showcasing DAC in action.
DAC is flexible and user-friendly but can be less secure in environments where
strict control is necessary, as users can unintentionally or maliciously grant
access to unauthorized individuals.

2.Mandatory Access Control (MAC)

According to the National Institute for Standards and Technology (NIST),

Mandatory Access Control (MAC) is a strict access control policy uniformly
enforced across all subjects (users, processes) and objects (files, resources)
within an information system.
In MAC, the system enforces access rules, not the users. This means that
even if a user has access to information, they must follow strict constraints,
such as:
• Not disclosing information to unauthorized parties
• Not transferring access privileges to others
• Not altering security labels or attributes of subjects or objects
• Not modifying access control rules or assigning permissions to new
objects
However, some subjects may be given special privileges by the organization,
allowing them limited exceptions to these restrictions.
MAC is commonly used in environments requiring high security, such as
military or government systems, where data confidentiality and control are
critical.

3. Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) manages access by assigning permissions

to roles rather than individual users. In this model, users are assigned to
specific roles, and each role has a set of predefined permissions.

How RBAC Works:

• Roles are created based on job functions (e.g., Manager, Employee,
Auditor).
• Each role has fixed permissions that define what actions can be
performed.
• When a user (e.g., Alice) is assigned the role of Manager, she
automatically inherits the role’s permissions, such as approving loans.
• These permissions remain static and do not change dynamically based on
the user's behavior.

Benefits of RBAC:
• Simplified administration: Permissions are managed at the role level, not
individually for each user.
• Improved security: Reduces the risk of privilege escalation, where users
accumulate more access rights than needed.
• Easier updates: When a user’s responsibilities change, simply changing
their role updates their access accordingly.
RBAC is widely used in organizations to enforce the principle of least
privilege, ensuring users only have access necessary to perform their duties.

4. Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is a dynamic access control model

that grants or denies access based on attributes related to the user, the
resource, the environment, and the action.

How ABAC Works:

• Access decisions are made by evaluating policies that consider multiple
attributes, such as:
o User attributes: Role, department, clearance level
o Resource attributes: File type, classification, owner
o Environmental attributes: Time of access, location, device used
o Action attributes: Read, write, delete, etc.
• For example, a policy might allow access only if the user is from the HR
department, accessing during work hours, and using a secure device.

Benefits of ABAC:
• Fine-grained control: Offers more flexibility than RBAC or DAC.
• Context-aware access: Decisions adapt to changing conditions, improving
security.
• Scalability: Ideal for complex systems with many users, resources, and
dynamic conditions.
 ABAC is commonly used in cloud services, enterprise systems, and
applications requiring context-sensitive security and flexible policy
enforcement.

ACCESS CONTROL MECHANISMS

1.AUTHENTICATION
This is the process of verifying the identity of a user, system, or application. It
involves matching a user's claimed identity—asserted through a credential (e.g.,
an ID card or unique ID number)—against one or more authentication factors.
These factors can be something the user knows (like a password or PIN),
something the user has (like a physical card or a token device), or something the
user is (like a fingerprint or iris scan). Authentication can be done in-person (e.g.,
at a physical bank branch or government office) or remotely (e.g., via a mobile
or web service).
2. AUTHORIZATION
This is the process that follows authentication, which determines the actions
and resources a user is allowed to access within a system. It involves checking
the user's permissions against an access control policy. There are several types
of authorization mechanisms, including permission-based and role-based.
Permission based authorization grants specific permissions to individual users,
while role-based authorization assigns permissions based on the user's role
within the organization.
3. ACCESS CONTROL LIST (ACL)
An ACL is a list of permissions associated with a system resource. It specifies
which users or system processes are granted access to resources, as well as what
operations are allowed on given resources. Each entry in a typical ACL specifies
a subject and an operation. For example, if a file object has an ACL that contains
(Alice: read, write; Bob: read), this would give Alice permission to read and write
the file and give Bob permission only to read it.
4. CAPABILITY-BASED ACCESS CONTROL
This model ties access to keys, rather than a centralized control system. It
decentralizes the large ACL attack vector and creates a more secure Identity and
Access Management (IAM) system. A capability can be thought of as a pair (x, r)
where x is the name of an object and r is a set of privileges or rights. With each
subject, we can store that subject's capabilities. And the subject presents to the
guard a capability to get access to an object. Note that a capability is completely
transferable; it does not matter who presents the capability. Each of these
mechanisms plays a crucial role in securing systems and data by ensuring that
only authorized users have access to the resources they need. They form the
backbone of any robust security strategy.

A C C ES S C O N T R O L S Y S T E M C O D E I N C
#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#define MAX_USERS 20

#define MAX_GROUPS 10

#define MAX_FILES 50

#define MAX_LOGS 100

typedef struct { char username[20]; char groups[MAX_GROUPS][20]; int group_count;

} User;

typedef struct {

char name[50]; // includes path, e.g., "/home/report.txt"

char owner[20]; char group[20];

char permissions[10]; // e.g., "rw-r--r--"

int is_directory; // 1 = directory, 0 = file

} File;

typedef struct { char username[20]; char filename[50];

char operation[10]; char result[20]; // "Granted" or "Denied"

} AccessLog;

// Global arrays

User users[MAX_USERS]; int user_count = 0; File files[MAX_FILES]; int file_count = 0;

AccessLog logs[MAX_LOGS];

int log_count = 0;

// --- Function Declarations ---

void add_user();
void add_user_to_group();

void create_file_or_directory(int is_directory);

void list_files();

void check_access();

void show_logs();

int is_user_in_group(char *username, char *groupname);

void log_access(char *username, char *filename, char *operation, char *result);

// --- Function Implementations ---

void add_user() {

char username[20];

printf("Enter username: "); scanf("%s", username);

strcpy(users[user_count].username, username);

users[user_count].group_count = 0; user_count++;

printf("User '%s' added successfully.\n", username);

void add_user_to_group() {

char username[20], groupname[20];

printf("Enter username: "); scanf("%s", username);

printf("Enter group name: "); scanf("%s", groupname);

for (int i = 0; i < user_count; i++) {

if (strcmp(users[i].username, username) == 0) {

strcpy(users[i].groups[users[i].group_count], groupname);

users[i].group_count++;

printf("User '%s' added to group '%s'.\n", username, groupname);

return;

} }

printf("User not found.\n");

void create_file_or_directory(int is_directory) {

char name[50], owner[20], group[20], permissions[10];

printf("Enter %s name (with path): ", is_directory ? "directory" : "file");

scanf("%s", name);

printf("Enter owner: "); scanf("%s", owner);

 printf("Enter group: "); scanf("%s", group);

printf("Enter permissions (e.g., rwxr-xr--): "); scanf("%s", permissions);

strcpy(files[file_count].name, name); strcpy(files[file_count].owner, owner);

strcpy(files[file_count].group, group); strcpy(files[file_count].permissions, permissions);

files[file_count].is_directory = is_directory; file_count++;

printf("%s '%s' created successfully.\n", is_directory ? "Directory" : "File", name);

void list_files() {

printf("\n%-25s %-10s %-10s %-10s %-5s\n", "Name", "Owner", "Group", "Perms", "Type");

for (int i = 0; i < file_count; i++) {

printf("%-25s %-10s %-10s %-10s %-5s\n", files[i].name, files[i].owner, files[i].group,files[i].permissions,

files[i].is_directory ? "Dir" : "File");

} printf("\n");

int is_user_in_group(char *username, char *groupname) {

for (int i = 0; i < user_count; i++) {

if (strcmp(users[i].username, username) == 0) {

for (int j = 0; j < users[i].group_count; j++) {

if (strcmp(users[i].groups[j], groupname) == 0)

return 1;

} } }

return 0;

void log_access(char *username, char *filename, char *operation, char *result) {

strcpy(logs[log_count].username, username); strcpy(logs[log_count].filename, filename);

strcpy(logs[log_count].operation, operation); strcpy(logs[log_count].result, result);

log_count++;

void check_access() {

char username[20], filename[50], operation[10];

printf("Enter username: "); scanf("%s", username);

printf("Enter file/directory name (with path): "); scanf("%s", filename);

printf("Enter operation (read/write/execute): "); scanf("%s", operation);

for (int i = 0; i < file_count; i++) {

if (strcmp(files[i].name, filename) == 0) {

int index;

if (strcmp(operation, "read") == 0) index = 0;

else if (strcmp(operation, "write") == 0) index = 1;

else if (strcmp(operation, "execute") == 0) index = 2;

else {

printf("Invalid operation.\n");

return;

char op_char = operation[0]; // 'r', 'w', 'e'

char *perm = files[i].permissions;

if (strcmp(files[i].owner, username) == 0) {

if (perm[index] == op_char) {

printf("Access Granted (owner)\n");

log_access(username, filename, operation, "Granted");

return;

} }

else if (is_user_in_group(username, files[i].group)) {

if (perm[index + 3] == op_char) {

printf("Access Granted (group)\n");

log_access(username, filename, operation, "Granted");

return;

}}

else {

if (perm[index + 6] == op_char) {

printf("Access Granted (others)\n");

log_access(username, filename, operation, "Granted");

return;

} }

printf("Access Denied.\n");

log_access(username, filename, operation, "Denied");

return;
 } }

printf("File or directory not found.\n");

void show_logs() {

printf("\n%-10s %-25s %-10s %-10s\n", "User", "File/Directory", "Operation", "Result");

for (int i = 0; i < log_count; i++) {

printf("%-10s %-25s %-10s %-10s\n", logs[i].username, logs[i].filename, logs[i].operation, logs[i].result);

printf("\n");

// --- Main Menu ---

int main() {

int choice;

while (1) {

printf("\n--- Access Control System ---\n");

printf("1. Add User\n"); printf("2. Add User to Group\n");

printf("3. Create File\n"); printf("4. Create Directory\n");

printf("5. List Files/Directories\n"); printf("6. Check Access\n");

printf("7. Show Access Log\n"); printf("8. Exit\n");

printf("Choose an option: "); scanf("%d", &choice);

switch (choice) {

case 1: add_user(); break;

case 2: add_user_to_group(); break;

case 3: create_file_or_directory(0); break;

case 4: create_file_or_directory(1); break;

case 5: list_files(); break;

case 6: check_access(); break;

case 7: show_logs(); break;

case 8: printf("Exiting...\n"); exit(0);

default: printf("Invalid option. Try again.\n");

} }

return 0;

}
OUTPUT: