2 cissp ® Official Study Guide Eighth Edition

Attribute Based Access Control

Download 19,3 Mb.

Pdf ko'rish

bet	591/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 587 588 589 590 591 592 593 594 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Mandatory Access Control
Discretionary Access Controls

629
Attribute Based Access Control
A key characteristic of the Attribute Based Access
Control (ABAC) model is its use of rules that can include multiple attributes. This
allows it to be much more fl exible than a rule-based access control model that applies
the rules to all subjects equally. Many software-defi ned networks use the ABAC model.
Additionally, ABAC allows administrators to create rules within a policy using plain
language statements such as “Allow Managers to access the WAN using a mobile
device.”
Mandatory Access Control
A key characteristic of the Mandatory Access Control (MAC)
model is the use of labels applied to both subjects and objects. For example, if a user has a
label of top secret, the user can be granted access to a top-secret document. In this exam-
ple, both the subject and the object have matching labels. When documented in a table, the
MAC model sometimes resembles a lattice (such as one used for a climbing rosebush), so it
is referred to as a lattice-based model.
Discretionary Access Controls
A system that employs
discretionary access controls
allows the owner, creator, or data cus-
todian of an object to control and defi ne access to that object. All objects have owners, and
access control is based on the discretion or decision of the owner. For example, if a user
creates a new spreadsheet fi le, that user is both the creator of the fi le and the owner of the
fi le. As the owner, the user can modify the permissions of the fi le to grant or deny access
to other users. Data owners can also delegate day-to-day tasks for handling data to data
custodians, giving data custodians the ability to modify permissions. Identity-based access
control is a subset of DAC because systems identify users based on their identity and assign
resource ownership to identities.
A DAC model is implemented using access control lists (ACLs) on objects. Each ACL
defi nes the types of access granted or denied to subjects. It does not offer a centrally con-
trolled management system because owners can alter the ACLs on their objects at will.
Access to objects is easy to change, especially when compared to the static nature of man-
datory access controls.
Microsoft Windows systems use the DAC model to manage fi les. Each fi le and folder has
an ACL identifying the permissions granted to any user or group and the owner can modify
permissions.
Within a DAC environment, administrators can easily suspend user privileges while they
are away, such as on vacation. Similarly, it’s easy to disable accounts when users leave the
organization.
Within the DAC model, every object has an owner (or data custodian), and
owners have full control over their objects. Permissions (such as read
and modify for files) are maintained in an ACL, and owners can easily
change permissions. This makes the model very flexible.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 587 588 589 590 591 592 593 594 ... 881