Access control related concepts and common models

<! - StartFragment ->

Access control aims to allow, deny, restrict and revoke access to resources through identification, authentication and authorization. When discussing data access management, we must first understand physical access and logical access. Physical access refers to buildings, equipment, and documents, while logical access refers to computer or system access.

Access management concept

Let's take a closer look at the concepts of security and identity management, which are already included in the scope of certain identity management association certification programs and exams.

Identification

Identity is a way to ensure that the subject (user, program, or process) is the entity it claims to be.

Authentication

Identity verification is the process of comparing the credentials provided by the entity with the entity information stored on the system to verify the identity.

Authorization

Authorization occurs after the identification and authentication of the entities have occurred to determine the operations they are allowed to perform. Authorization is achieved through the use of access control.

Principle of Least Privilege

The principle of least privilege stipulates that we should only allow minimal access to an entity, which can be a user, device, account, or process that enables it to perform the required functions. This concept also applies to computer services, which may be granted more access rights and functions than are required to run the system through improper programming.

Separation of Duties Principle

The principle of separation of duties is a mechanism for the separation of responsibilities and authorities between business departments and business operators of an enterprise. The main purpose is to prevent exploitation and fraud by allowing two people to complete a task. For example, to ensure security when transferring funds online, the system may require two people to enter the system and approve the transaction.

Access control list

An access control list or ACL is a file, usually referring to a computer file system, which attaches permissions to objects or entities. ACL specifies which users or system processes are granted access to the object and what operations are allowed on the object. Each entry in a typical ACL specifies a subject and an operation. For example, if a file object has an ACL containing (Alice: read, write; Bob: read), this will grant Alice the permission to read and write the file, and Bob will only read the file.

Features

If ACLs define permissions given an identity and a set of permissions, then feature-based access provides an alternative method of granting access based entirely on what we have (such as tokens, passes, or passwords). In a function-based system, an application can share tokens that define its access level with other applications.

Access control method

According to the access control method, access rights can be granted based on what we know, own and exist.

For example, what we know is a password or token, what we have is a pass, and what has always been there is fingerprints or other biometric data.

Access control model

Common access control models include: discretionary access control, mandatory access control, role-based access control and attribute-based access control.

Discretionary access control

Discretionary Access Control (DAC) is an access control model that determines access permissions based on the owner of the target resource. The owner of the resource can decide who has access rights and which resources they have access to.

Mandatory access control

Mandatory Access Control (MAC) is an access control model in which the owner of a resource cannot decide who can access it, but the organization or individual who has the right to set resource access permissions determines who has access permissions. We can often find the implementation of MAC in government organizations. In these organizations, access to a given resource is mainly determined by the following factors:

Sensitive labels applied to data (confidential, top secret, etc.),
According to the level of sensitive information that the individual is allowed to access,
It is the principle of least privilege to determine whether it is really necessary for individuals to access resources.

Role-based access control

Role-Based Access Control (RBAC) is an access control model, similar to MAC, its function is access control set by permissions instead of resource owners. The difference between RBAC and MAC is that access control in RBAC is based on the individual roles of accessing resources.

Attribute-based access control

Attribute-based access control (ABAC) is attribute-based. These attributes can be attributes of a specific person, resource, or environment. The attribute can be the subject (the height of the person in the amusement park), the resource (software that only runs on a specific operating system or website), or the environment (the time of day or the length of the activity that has elapsed).

Military and government organizations can use a multi-level access control model. The simple access control model we just discussed may not be enough to protect the information we control access to.

Physical access control

When discussing physical access control, we usually focus on the access control of individuals, devices, and vehicles.

Individual access control usually revolves around controlling individuals' access to buildings or facilities. We can see that many buildings implement this type of control, and they control access to facilities in the form of passes. Such passes are usually configured on ACLs to allow or deny which doors they can be used for and specify the time of day that they can be used.

Physical access control of vehicles usually revolves around preventing vehicles from entering restricted areas.

Trailing

One of the most common problems with physical access control is the trailing problem. When we authenticate against physical access control measures (for example, when using a pass), there is a possibility of tailgating, and then another person directly follows us without authenticating himself.

Article source: https://www.identitymanagementinstitute.org/access-control-types-and-models/

about us

Access control related concepts and common models
"Longgui Technology" is an enterprise-level information service provider focusing on low-code empowerment. The core founder team is co-founded by experts from NSFOCUS, Red Hat open source operating system, well-known game Crab Technology, and well-known open source communities.

"Longgui Technology" is committed to enabling every enterprise in China to have an exclusive automated office operating system, helping enterprises or governments to embrace the (Cloud Native First) strategy of cloud native first , and helping customers build a modern IT foundation centered on "identity and application" facility! So as to realize "digital transformation" and "industrialized production of software industry" !

Main product: ArkOS Ark Operating System: an enterprise-level office automation operating system , combined with self-developed low-code application development platform, build an industrial ecology, and focus on creating an integrated full-stack cloud native platform for various enterprises and organizations. The built-in applications of the system include: ArkID unified identity authentication , ArkIDE, ArkPlatform, App Store and other products. Up to now, the company has obtained 15 software copyrights and 2 invention patents, and in November 2020, it has been recognized as a national high-tech enterprise in Zhongguancun, Haidian District, Beijing .