Article directory
- After identification and authentication technology, authorization and access technology are involved
- Like a family, a personal diary does not want others to read it
- Different people in the system have different permissions
1. Concepts of authorization and access control policies
1.1 Authorization concept
- In order for legitimate users to use the information system normally, authenticated users need to be granted corresponding operating permissions. This process is called authorization. Authorizable permissions include reading and writing files, running programs, and network access. The technology to implement and manage these permissions is called authorization technology.
- Running program permission control, QQ cannot send installed applications to prevent delays and viruses
1.2 Access control policy concept
- Access control is the basis for implementing authorization. It controls that resources can only be accessed according to the granted permissions.
- Access control policy is a description of access control and related authorization at a higher level of system security. Its expression model is often called an access control model. It is a conceptual model in which access control methods are highly abstract and independent of software and hardware implementation.
1.3 Access control matrix (the most common access control model)
1.4 Subject attributes
1.5 Object attributes
2. Main types of access control policies
2.1 Attribute association method
- The attribute association method must not only consider support for authorization decisions, but also consider factors such as whether it can reduce stored data, speed up operation processing, and whether it supports verification of some security properties.
3. Access control strategies and models
3.1 Common access control policy models
1. Discretionary access control
- Under the autonomous access control policy, each object has one and only one owner, and the owner of the object determines the protection strategy of the object. The system determines whether a subject can access an object in a certain way based on whether there is a corresponding object in the system. Owner's authorization
- What you do on the computer is because you have the sovereignty of the computer. If you enter your user name and password according to the system installation, the computer has been authorized.
3.2 Common discretionary access control models
1. HRU model (authorization model used by computers, different accounts handle resources differently)
2. Get model and action entity model
4. Implementation mechanism of access control technology
4.1 Mandatory access control
- Under the mandatory access control policy, each entity has corresponding security attributes, which are the basis for system authorization. Each subject in the system has an access tag, which identifies the permission level for access to various objects. The objects in the system are also bound to a sensitivity tag, reflecting their confidentiality level. The system compares the tags of the subject and the object. Decide whether and how to authorize
4.2 Role-based access control
- Overall process of role-based access control
4.3 Attribute-based access control ABAC
- Attribute-based access control ABAC components
5.PMI technology
5.1 Introduction
5.2 Attribute Certificate