What is Access Control ?
All users may not have permission to access all the resources in a system or network. A system should be able to allow or deny access to certain resources based on identity or role of the user or the group the user belongs to. This can be managed using access control. Access control is the selective restriction of access to a resource based on authenticated identity of the user or the properties of the request.
Access control deals with controlling the access to a resource after a user has provided his credentials and the identity is verified. To give an example, a user or a group of users may have permission to access only a certain set of resources and may be restricted from the rest. It can be managed using access control.
Access Control Models
Access to resources can be enforced through many types of controls :
- Mandatory Access Control or MAC
- Discretionary Access Control or DAC
- Role Based Access Control or RBAC
- Rule Based Access Control or RAC
- Attribute Based Access Control or ABAC
- History Based Access Control or HBAC
- Identity Based Access Control or IBAC
Mandatory Access Control or MAC
In Mandatory Access Control or MAC, all access to resources are strictly controlled by the Operating System based on settings provided by the system administrator. In this type of access control, security labels are assigned to each resource on a system. This security labels can contain information on classification of the resource (top secret, confidential, public etc) and to whom the resource is available. Similarly, each user is also associated with a classification based on his role, identity, group etc and a set of resources available to him. When an authenticated user requests to access a resource, the Operating System checks the security labels of the resource and the classification of the user and decides whether the request should be allowed or denied.
MAC provides a very secure access control environment and traditionally it has been associated with Govt. System and specialized military systems. Recently, MAC is also implemented in SELinux and AppArmor for Linux and Mandatory Integrity Control for Windows.
Discretionary Access Control or DAC
In Mandatory Access Control, access to resources is controlled by the Operating System using settings provided by the system administrator. But, in Discretionary Access Control or DAC the owner of the resource controls which user or group should be able to access the resource.
In this type of access control, each resource typically has one Access Control List associated with it which specifies which user or group will have access to the resource and what all permissions will be granted. For example, a user may create a confidential file and provide read-only access to only those who belong to the same group as the user and restrict the rest.
Please note that, in DAC a user can control access to resources which he/she owns. User X cannot control access to resource which belongs to User Y.
A system can implement both MAC and DAC, in which case the Operating System can control what all resources an authenticated user can access using MAC and the user can control what all resources owned by him/her can be accessed by others using DAC.
Role Based Access Control or RBAC
Role Based Access Control or RBAC is a non-discretionary access control in which a user is given permission to access a resource based on his/her role in the organization. For example, a system may provide access to certain resources to the Accountant role, in which case all accountants in the organization would be able to access the resources. Similarly, a manager may be assigned to a manager role and a software engineer may be assigned a developer role and they can have permission to access resources based on their roles.
Please note that, a role assigned to a user is not same as a group. A user can belong to different groups, but he/she would have a single role in the organization.
Rule Based Access Control or RAC
In Rule Based Access Control or RAC, when a request is made to access a resource, the properties of the request is checked against a predefined set of rules to decide whether the request can be allowed or should be denied. For example, a firewall can use Rule Based Access Control. When a request is made to access a device or network, the properties of the request like IP address, port, application etc are analyzed and checked against a pre-defined set of rules to decide whether to block or allow the request.
So, in Role Based Access Control or RBAC access request is permitted based on role of the user requesting the resource and in Rule Based Access Control or RAC a request to access a resource is allowed or denied based on properties of the request and a set of predefined rules.
Rule Based Access Controls are commonly used to permit access to certain resources to certain users or group during certain hours of a day or certain days in a week. For example, Rule Based Access Control can be used to permit students to access resources during 9 am to 5 pm from Monday to Friday.
Attribute Based Access Control or ABAC
Attribute Based Access Control or ABAC uses a set of attributes as building blocks to define access control rules of a resource.
Attributes are sets of labels or properties that can be used to describe the resource. Fr example, when a user wants to access a resource in a given context, the request can contain the following building blocks :
- Subject – The user who is requesting the resource. Common attributes are user ID, group, role etc.
- Action – The action the user wants to perform. Common attributes are permission to read, write execute, edit etc.
- Resource – The resource the user wants to access.
- Environment – The context in which the access is requested. Common attributes include timestamp of the request, location of the user, protocol used in the request, encryption strength etc.
Typically each attribute consists of a key = value pair like role = manager. These attributes are used in a structured language to define an access rule or describe a request. For example, permit managers to have read-only access to employee data if the employee belongs to the same department as the manager.
The main difference between Attribute Based Access Control and Role Based Access Control is that unlike Role Based Access Control, Attribute Based Access Control can use complex Boolean rule sets to evaluate many different attributes at a time and grant access based on that. Structured language like XACML or eXtensible Access Control Markup Language is often used for that purpose.
ABAC is also considered the “next-generation” authorization model as it can provide dynamic, context-aware and risk-intelligent access control to allow access to resources. Policy Based Access Control or PBAC and Claims Based Access Control or CBAC are Microsoft specific terms for ABAC.
Identity Based Access Control or IBAC
In Identity Based Access Control or IBAC, access to resources are controlled based on identity of the authenticated user. For example, Cyberoam offers a network security system in which a user’s identity can be used as a part of the firewall rule matching criteria. In this case, a user’s identity is treated as the 8th Layer in the network protocol stack and is used while authenticating, authorizing and auditing the network. This in turn allows an organization to create security policies based on users and groups rather than on IP addresses. Identity Based Access Control gives more precise control over who can access the network and what they can access.
History Based Access Control or HBAC
In History Based Access Control or HBAC, access to a resource is granted or denied based on the history of activities of the request. Past behavior, access patterns, time between requests, contents requested etc are usually used in History Based Access Control or HBAC. For example, a user can be denied to access a resource if the number of requests per second exceeds a certain threshold or any past abusive access pattern is detected.
What is the difference between Access Control and Identity Management ?
Identity Management covers a whole range of functions like access control, user provisioning, privileged account management, directory services, account auditing, role and group management, Single Sign On or SSO etc. Access control is only a subset of Identity Management.
Vendors like Oracle, Microsoft, IBM, Novell etc provide Identity Management suites that include identity administration, identity infrastructure, access management and auditing.
In short, identity administration sets up user roles and groups that allow access only to authorized systems. Identity infrastructure holds information on user accounts and user identity, such as LDAP. Access management sets up user accounts with user Ids, passwords, smart cards, biometrics etc. And, auditing deals with reporting on accounts.
On the other hand, access control is concerned with providing users with access based on their authenticated identity. It is not concerned with proving their identity. While Identity Management can use multiple pieces of proofs to verify the identity of a user, access control focuses on providing users with access to resources once their identity is verified.
This was an article on basic information on access control. Hope it helped.