You might see a lot of questions on the CISSP exam about rule-based and role-based access. Firewalls are an example of rule-based access. Active Directory user profiles are a form of role-based access. Role
and Rule-based controls are called Non-Discretionary controls. 8 years ago when I was just a junior systems administrator, the IT Director provisioned me a new desktop computer networked to Active Directory. I wanted to immediately change the desktop wallpaper to a picture of Chewbacca playing the drums in a giant rock band with Han Solo as the lead guitarist, while Darth Vader floats down onto
the stage, and Princess Leia belching out the vocals.  But I couldn’t. I couldn’t change the desktop wallpaper, I couldn’t change the system time, couldn’t access cmd.exe, or change my password. At first, I thought this was a show of force by the Director. A form of centralized access control made by a player who has played the game longer and knows the tricks and strategies to best a rookie junior administrator. Now as a security engineer, I realized the IT Directory didn’t grant me the ability to change the system time because it would interfere with NTP (protocol to maintain date and time), or distribution of encrypted session keys. Quite simply, non-discretionary access controls are ones that are not at the discretion of the user. They are global rules, they apply to mostly everyone, so don’t feel bad : ) < Önceki | İçerik | Sonraki > Identity-based access control is a form of discretionary access control in which the control is based on an individual's identity. For example, biometrics-based access control systems are based on this type. Non-discretionary access control When the access to an object is based on certain rules, then it is called Rule-Based Access Control (RBAC). For example, the clearance level of the subject and the classification level of the object determines the access levels. Some practical examples include your college providing Internet access during specific hours of the day (the rule here is based on time). When access is controlled based on mandatory rules, then it is known as Mandatory Access Control (MAC). This type of access control is based on security labels. The security label is applicable to a subject as well as an object. A subject should have an equal or higher security label than the object to access it. For example, most of the modern-day operating systems, such as Vista or certain Linux variants, restrict the permissions of applications to access certain processes, based on integrity or sensitiveness labels.
The acronym MAC is also used in computer networking, and it denotes Media Access Control. This is an addressing scheme that provides a unique hardware number to the network interface card. If a centralized authority controls access based on a specific policy, then this is referred to as non-discretionary access control. Centralized access control is a facility in which all the core functions of access, such as Authentication, Authorization and Accountability (AAA), are performed from a centralized location. Role Based Access Control (RBAC) is a type of non-discretionary access control based on the subject's role or position in the organization. The majority of applications, such as Enterprise Resource Management (ERP) and Manufacturing Execution Systems (MES), use this control as a default or a preferred option. For example, an Active Directory setup may contain server admins, domain admins, and so on. Hence, people put in groups the permissions assigned to groups based on the role.
Rule Based Access Control (RBAC) and Role based Access Control (RBAC) share the same acronym RBAC. Task-based access control is based on a subject's responsibilities in the organization. A role may contain multiple tasks. For example, a role may contain tasks such as creating a user record, and then provisioning the user to a specific system. In task-based access control, the access is allowed only for specific tasks within a role and not all of them. Lattice-based access control is one where there is a pair of values that determine the access rights. The pair of values are related to least upper bound and the greatest lower bound in the lattice model. This is another type of non-discretionary access control. This model is usually represented in a grid-like setup where a subject and object are mapped. In the following example, user levels and file levels are mapped in a lattice model to represent access levels:
< Önceki | İçerik | Sonraki > What is a nonA means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (i.e., clearance) of users to access information of such sensitivity.
What is the main difference between DAC and MAC?Conclusion. The main difference between DAC and MAC is that the DAC is an access control method in which the owner of the resource determines the access while the MAC is an access control method that provides access to the resource depending on the clearance level of the user.
What is the difference between discretionary and mandatory access control explain with an example?The operating system in MAC will provide access to the user based on their identities and data.
...
Difference between DAC and MAC.. What is an example of discretionary access control?A typical example of DAC is Unix file mode, which defines the read, write and execute permissions in each of the three bits for each user, group and others. DAC attributes include: User may transfer object ownership to another user(s). User may determine the access type of other users.
|
