[Computer Systems Security]
Access controls are important components of any comprehensive IT security strategy and are used to allow or deny access to system resources through permissions and/or roles assigned to the system’s users. These controls operate in different levels and can be represented by a physical device attached to a network, a piece of software running under a OS, or even a person entrusted with the task of controlling who could access a specific resource. In computer systems security there are many forms of access controls. This paper will focus on the differences and similarities of the Mandatory Access Control (MAC), the Discretionary Access Control (DAC), and the Role-Based Access Control.
Mandatory Access Control (MAC)
In the Mandatory Access Control the security policy is determined by the operating system, not the owner of the resource. In a MAC-based system all subjects (users and processes) are tagged with security attributes that define the level of trust for accessing the system resources. Objects (system resources such as files, folders, shared memory blocks, communication ports, and etc…) are tagged as well with security attributes that define the minimum trust level required for their consumption. Thus, a subject is only allowed to access an object if his level of trust is equal or greater than the object he is trying to access. This security policy is normally managed and enforced in a centralized manner by a policy administrator. Users are not allowed to override such policy and grant access to resources that would otherwise be restricted.
Discretionary Access Control (DAC)
In the Discretionary Access Control the security policy is at the discretion of its subjects. This allows subjects, entrusted with enough permissions to assign security attributes to the objects they own. Consequently, subjects are responsible for the interactions (read, write, and execute) between their objects and other subjects.
Role-Based Access Control (RBAC)
With role-based access control, access decisions are based on the roles that individual users have as part of an organization (NIST, 1995). In this control, Roles are created to match the various job functions within an organization and its system. Then, instead of assigning permissions directly to subjects, permissions are assigned to Roles and subjects can acquire permissions only through the roles they are assigned to. Therefore, a subject can only perform actions against system resources that are authorized by his assigned active roles.
Conclusion
While MAC access control is governed by the system itself, the DAC access control is managed and enforced by the system subjects, who own their objects and can extended access to them to other subjects in the system. RBAC roles are established by an organization and its system administrators to match the job functions within the organization. These roles hold the necessary permissions that allow for the execution of their related tasks. Only through their assigned active roles can subjects perform actions against the system.
MAC is the easiest to be managed and enforced. Once security attributes are defined in the system, the system itself is responsible for their enforcement. Managing and enforcing DAC, on the other hand, is a very complex task since both subjects and objects have their very own set of permissions (besides the permissions the subjects create themselves), which can become harder to maintain and to enforce as the number of users and resources grows. DAC is also more vulnerable to malware and viruses since they could affect security policies in the same “easy” way as the system’s subjects.
On RBAC-based systems, subjects share among themselves the various roles established by the security policy. If a subject needs a different set of permissions a new role can be assigned to him or disassociated from him, without affecting the role itself or the other subjects. RBAC differs from DAC since subjects “cannot pass access permissions on to other users at their discretion.” (Ferraiolo & Kuhn, 1992) However, RBAC is similar to MAC in the sense that RBAC is “a form of mandatory access control, but it is not based on multilevel security requirements.” (DoD, 1985 )
Works Cited
DOD. (1985). Trusted Computer System Evaluation Criteria. DoD 5200.28-STD. Retrieved August 6, 2011 from: http://csrc.nist.gov/publications/history/dod85.pdf.
Ferraiolo, David F., & Kuhn, Richard. (1992). Role-based Access Control. Retrieved August 5, 2011 from: http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf.
NIST. (1995). NIST/ITL Bulletin . Retrieved on August 3, 2011 from:
http://csrc.nist.gov/groups/SNS/rbac/documents/design_implementation/Intro_role_based_access.htm.
