Access control is a technology used to maintain computer system and network security. It manages the access rights of users or processes to computer system or network resources by implementing security policies and controls in the system. Its purpose is to ensure that only qualified users can access sensitive information stored in the system or perform specific operations, thereby preventing unauthorized access or data leakage.
The basic principle of access control is the principle of least privilege, which is to limit the range of resources and operations that each user can access and perform, and only give the necessary minimum privileges to control access to system resources by users at different levels. This can be achieved by applying different access control models and policies such as Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) etc. .
Access control is a very important part of the field of computer network security. It plays a key role in preventing information leakage and network attacks, and can help enterprises and organizations prevent data leakage, improper system use and risks caused by system vulnerabilities.
Mandatory Access Control (MAC)
This type of access control is controlled by the system administrator, and the user's access to resources is controlled through predefined rules and policies, and users cannot change their own permissions. The MAC model controls user access to resources through mandatory rules. For example, the access level and security level in the BLP model are defined by the system administrator, and users cannot change their own permissions. The MAC model is usually applied to systems that require strict confidentiality, such as military, government, financial and other fields. For example, the US High Performance Computing Center uses a MAC-based system in computing resource management, which controls access to computer resources, including hardware type, available time, and number of instances. Through the MAC model, the system can guarantee the security of resources and data isolation, and has important applications in confidentiality protection.
Discretionary Access Control (DAC)
This type of access control is controlled by the object's owner (or system administrator). Each object has an owner, and the owner determines the access rights of the resource , rather than system-enforced rules. The DAC model is typically applied in environments that allow multiple users to share resources. For example: Unix and Linux operating systems adopt the DAC model, and each file has an owner and a set of access control lists. Owners can modify these lists to control who can access files, without requiring system administrators to control.
Role Access Control (RBAC)
This type associates access rules with user roles. Users are not directly associated with resources, but are associated with roles. Each role has a set of permissions and access rules. As long as users are assigned to this role, they can gain access to associated resources. authority. This access control is controlled and maintained by the system administrator. For example: A CRM system may have sales roles, customer service roles, and management roles. Each role has defined access rights, such as a sales role can view and edit customer data, a customer service role can view and update customer service records, and an administrative role can view and edit information from various departments of the company. Through the RBAC model, users with different roles can have different access rights to resources.
Attribute Based Access Control (ABAC)
The ABAC model is based on user and object attributes to control user access to resources, such as user job responsibilities, resource types and their classification standards, time and other factors. Each access request is evaluated to determine whether the user meets the access criteria. This type of access control is usually applied to systems with strict security protection . For example, the information system of a hospital may use the ABAC model to determine the information access rights of each doctor and nurse based on factors such as their job responsibilities, clinical work priorities, identity verification, and patient confidentiality, so as to ensure the resources of their information Access security and data isolation.