Popular Access Control Models and Methods

Access Control Models

Access Control Models

Access control models are driven by the business needs of the organizations. There’s some models that are very common. There’s some that are seldom used. We’re going talk about each of those here in a nutshell, access control models are methods for controlling access to different resources. Resources can be files, it could be data, they could be systems, they can be computers, servers, whatever. And the technique that you’re going be using in your organization really depends on your organization’s business needs. What is your organization trying to accomplish?

Role Based Access Control

You have some different tools, some techniques that you can use to enforce access control models. There’s tools like Windows group policy editor, very popular Windows tools. There is also SELinux which is a group policy tool for Linux operating systems. Of course, SELinux is open source when this group policy editor usually comes with a Windows server deployment because most access control within Windows is accomplished through a server deployment in role based access control. This is very, is a traditional way of doing access control. It makes things very easy. You would assign a role for every individual in the organization and those roles may coincide with what those individuals do or what their function is, their role in your organization.

So you might have like sales people, a sales manager, maybe an HR representative in the back room.  You might have a receptionist, for example, or you could have quality assurance people, those would all be different roles. So you might have in your sales role, the sales people could have access to folders, sales client list, sales software, maybe like sales force. That’s a pretty easy analogy. There. Any type of products or services that they would need to perform their functions.

And your sales manager might have access to all those tools as well as maybe some financial data. They might have access to the HR file, they might have more access than just the sales team. Then your HR manager would be able to access employee records, payroll information, payroll software. So this would not be, this would still be a system within your network, but with different roles, you can assign access only to the people who need it to help promote that concept of least privilege. Remember, least privilege is only assigning the minimum number of privileges necessary for someone to do their job. Might also have like it people system admins, they would have access to the security devices, the firewalls, routers, things like that.

So that’s a good example of role based access control. You might have let’s take a quick example. You might have a sales department with, um you know, some sales people, maybe you have like a, you have Michael who’s a sales manager. You got like Jim and maybe like a, a Dwight in the sales team, maybe like a Phyllis. And then the manager would have more privileges than the sales people, but they would have access to everything that the sales people would do. And then say you brought in people makes onboarding very easy. You know, maybe you bring in a temp worker named Ryan, they’re placed in the sales team temporarily.

So they’re given the privileges of the sales team by being placed into the sales group. For example, an HR representative would lie outside of that hierarchy, maybe being shunned a little bit and we probably have different privileges. Roles in role based access control can be set for each user individually or managed within those groups and those groups can contain those list of privileges if they move departments entirely, maybe, you know, somebody moved from sales to quality assurance, they could be taken out of the sales group and added to the quality assurance group. For example, this makes it much easier for administrators for assistance administrators to manage those privileges rather than setting it up every time there’s a change in personnel.

Role-Based Access Control In Action

So let’s take a look at role based access control in action. Here, we have Windows Server 2019 and I have a couple different groups here. I have a temp workers group. I have a sales group and I have executives group. So let’s say we have a worker here, Ryan. If we look at Ryan, we could see that Ryan is a member of the temp workers group. I’ll say Ryan gets a promotion. We wanna might wanna move him to the executives group, for example, maybe he gets promoted to executive. So what we can do here is simply remove him from this temp workers group and then we add him here. We can type in executive check our names and we find the executives group we hit. Ok. Now Ryan has all the permissions and all the privileges of the executives group and he no longer has the access granted to the temp group.

So what that does is it makes it very easy for us assistance administrators to change his access. We could apply here and then Ryan has those new permissions. We could also manage an entire group here. We could see the sales group as Dwight and Jim and you can quickly view who has these privileges by looking at the group itself. It’s a very convenient method of performing access control and active directory is how you would use this in windows in a windows environment. You can also add different security settings using group policy management and apply those to the different groups.

And that could be a really easy way of applying a security baseline across an entire. And if you’re trying to do this in a Linux environment, you can use SELinux as a tool for a Linux deployment. Rule based access control uses different rules to control user access. So these rules are usually stored in an access control list. Normally called an apple, just like a firewall would use ankles. You have rule based access control, storing those rules or those plain text statements in these ales. Now a lot of times, rule based access control or rule based access is used in security devices like intrusion prevention systems. So you’d have an apple that would control access to different systems, different devices and the IP S would follow those rules in order, firewalls also often use this rule based access control approach. So it’s an approach to manage access control for devices and systems, not necessarily with people, it is very useful for security devices.

Discretionary Access Control (DAC)

Discretionary access control, designates objects within an operating system, objects or anything like a file and a folder and each object would have a designated owner, that owner would be allowed to set permissions for that object. So this kind of places access control in the hands of the users. We can examine how discretionary access control works by looking at our virtual machine. Here on the local disk, we have the cyber craft folder, we can right click this and go to properties. And when we go to security, we see the different groups and users that can access this folder. Now, we can select the users here and edit the permissions to deny access to deny access for all users. We select users here, select deny and apply hit. Ok? And now we can see that those users are denied access to the folder.

Access Control Models

Discretionary Access Control and DACLs

Then all these permissions are stored in something called discretionary access control list or DACL. Ok. So we have ACLs and we got DACLs. So DACLs are for discretionary access control. Just makes sense. You have already DAC for discretionary access control. Add an L. Now you got a cool sounded acronym and you know how cyber people love their acronyms. Now, each object in a windows system is also granted a security identifier that’s stored inherently it’s metadata within the file itself. So it’s, it’s a descriptor that’s stored with the file. When I say metadata, it’s a type of descriptor. So every file, every folder has an SID security identifier and you can change those permissions usually to read, write or modify or owner or full control within windows. And you can do the same thing in Linux with Linux, you usually use set this through the terminal commands.

Mandatory Access Control (MAC)

Mandatory access control is a little different approach. This is where you primarily use this with classified information. It was initially developed by the US federal government to manage classified information.

There’s three levels of classified information, there’s confidential secret and top secret and then you have different compartments, different handling caveats, but those are the three main categories. So, confidential secret and top secret. So how it’s done now in the federal government is that a system is classified at one of those confidentiality levels. And then the access control for that system is all designed around that confidentiality level. That classification, I was a classified documents manager in the army. So, you know, I have a lot of experience doing this. Initially, mandatory access control was designed to break this level of access to have multiple types of classification on the same system and then change the level of access control depending on who’s logged onto the system.

The government pretty quickly realized that that causes a lot of issues and could lead to leaks classified information leaks. So now pretty much every system has its own level of classification. So you have a series of computers that are all at the secret level or a series that are all top secret and then they have different networks, pretty much, they have different networks. There’s we can get into that for a long topic, but you have a secret network, a top secret network and a confidential network, for example. So users will have access if they have a class of a clearance level at that level of classification and a need to know they need to have both those things need to know and that clearance level. So if somebody has a secret clearance, they can access secret systems as long as they have a need to know for that system. And that helps encourage that concept of least privilege.

And if you have access at a higher level in mandatory access control, you inherit access to the lower level. So you have access to a top secret system, you’ll be able to access secret information on that top secret device as well because it’s a lower classification level. Top secret is the highest, then you go secret and then confidential.

Attribute Based Access Control

Now we also have something called attribute based access control. This uses different characteristics, not necessarily specified for files and folders but characteristics maybe of a user. For example, a good example of how this is used is in the insurance industry or the financial advisor industry. So say you have a financial advisory firm that services people across the country. They have a hotline.

People could call in to get financial advice or to invest their money. And when people call into that hotline, they’re matched with a financial advisor that’s licensed license for their state. So they would tell the the phone system, hey, I’m from, you know, Oklahoma, I need financial advice and then the phone system would match them referencing a database that has a, a attribute based access control for example, and find somebody with a license in Oklahoma and then send or connect that person with that financial advisor from that Oklahoma has that Oklahoma license. So this is a way to control access and that, that Oklahoma financial advisor would only have access to customer files from the state of Oklahoma. So that’s a way of controlling access usually within a database depending on different attributes. Now, attribute based access control uses policy statements which are basically almost like plain English statements. Let’s take a look at one here, you have four parts with a policy statement.

You got the subject which is the user being identified, the object, which is the resource, the action, which is what the user wants to accomplish and the environment which includes any other attributes, anything other than subjects and objects. So for example, we could say all redheaded employees are authorized to access databases at the Chicago office on Wednesdays. So our subject there would be redheaded employees, it’d be in our employees. Basically object would be databases, action would be access, they’d be able to access the information and the environment would be Chicago office and Wednesdays and then redheaded would be an environment to that that type of employee to identify the type of employee. So those together, we read out as a plain English statement and if you took them on their own, you can piece them together to make like a whole statement. So that’s kind of how attribute based access control is designed to read almost like plain English.

Enroll in Cyberkraft’s Training Courses

Cyberkraft is a CompTIA Authorized Partner and an ISACA Premium Accredited Training Organization.

Enroll in one of our self-paced classes or live training bootcamps today!

Related Articles