Chapter 4

Access Control
 Access Control Principles
RFC 4949 defines computer security as:

“Measures that implement and assure

security services in a computer system,
particularly those that assure access
control service.”
 Authorization
database

Security administrator

Authentication Access control

Access
Authentication
control
function
function

User
System resources

Auditing

Figure4.1 Relationship AmongAccessControl and Other Security Functions

 Access Control Policies
• Discretionary access • Role-based access
control (DAC) control (RBAC)
o Controls access based on the o Controls access based on the
identity of the requestor and roles that users have within
on access rules the system and on rules
(authorizations) stating what stating what accesses are
requestors are (or are not) allowed to users in given roles
allowed to do
• Attribute-based access
• Mandatory access control (ABAC)
control (MAC) o Controls access based on
o Controls access based on attributes of the user, the
comparing security labels with resource to be accessed, and
security clearances current environmental
conditions
 Subjects, Objects, and
Access Rights
Access
Subject Object right

Describes the way in

An entity capable of A resource to which
which a subject may
accessing objects access is controlled
access an object

Three classes Could include:

• Owner Entity used to contain
• Read
• Write
• Group and/or receive • Execute
• World information • Delete
• Create
• Search
 Discretionary Access Control
(DAC)
• Scheme in which an entity may enable another
entity to access some resource
• Often provided using an access matrix
o One dimension consists of identified subjects that may
attempt data access to the resources
o The other dimension lists the objects that may be
accessed
• Each entry in the matrix indicates the access
rights of a particular subject for a particular
object
 OBJ ECTS
File1 File2 File3 File4
Own Own
User A Read Read
Write Write
Own
SUBJ ECTS User B Read Read Write Read
Write

Read Own
User C Read Read
Write Write
(a) Access matrix

File1 A B C User A File1 File3

Own R Own Own
R R W R R
W W W
• • •

File2 B C User B File1 File2 File3 File4

Own Own
R R R R W R
W W
• • • •

File3 A B User C File1 File2 File4

Own R Own
R W W R R
W W
• • •

File4 B C
Own (c) Capability lists for files of part (a)
R R
W
•

(b) Access control lists for files of part (a)

Figure4.2 Exampleof Access Control Structures

 OBJ ECTS
File1 File2 File3 File4
Own Own
User A Read Read
Write Write
Own
SUBJ ECTS User B Read Read Write Read
Write

Read Own
User C Read Read
Write Write
(a) Access matrix

File1 A B C User A File1 File3

Own R Own Own
R R W R R
W W W
• • •

File2 B C User B File1 File2 File3 File4

Own Own
R R R R W R
W W
• • • •

File3 A B User C File1 File2 File4

Own R Own
R W W R R
W W
• • •

File4 B C
Own (c) Capability lists for files of part (a)
R R
W
•

(b) Access control lists for files of part (a)

Figure4.2 Exampleof Access Control Structures

Subject Access Object
Mode
A
A
Own
Read
File 1
File 1
Table 4.1
A Write File 1
A Own File 3
A Read File 3
Authorization
A Write File 3 Table
B Read File 1
for Files in
B Own File 2
B Read File 2 Figure 4.2
B Write File 2
B Write File 3
B Read File 4
C Read File 1
C Write File 1
C Read File 2
C Own File 4
C Read File 4
C Write File 4
 OBJ ECTS
subjects files processes disk drives
S1 S2 S3 F1 F2 P1 P2 D1 D2

control owner owner read * read

S1 wakeup wakeup seek owner
control owner

SUBJ ECTS S2 control write* execute owner seek *

S3 control write stop

* - copy flagset

Figure4.3 Extended Access Control Matrix

 System intervention

Subjects Access control mechanisms Objects

read F (Si, read, F) File

Si Files
system

Memory
Segments
addressing
& pages
hardware

wakeup P (Sj, wakeup, P) Process

Sj Processes
manager

Terminal
& device Terminal
manager & devices

Instruction
decoding Instructions
hardware
grant a to Sn, X (Sk, grant, a , Sn, X)
Sk
delete b from Sp, Y (Sm, delete, b, Sp, Y) Access
Sm matrix
monitor

Access
write matrix read

Figure4.4 An Organization of the Access Control Function

Table 4.2

Access
Control
System
Commands
 Protection Domains
• Set of objects together with access rights to those objects
• More flexibility when associating capabilities with
protection domains
• In terms of the access matrix, a row defines a protection
domain
• User can spawn processes with a subset of the access
rights of the user
• Association between a process and a domain can be static
or dynamic
• In user mode certain areas of memory are protected from
use and certain instructions may not be executed
• In kernel mode privileged instructions may be executed
and protected areas of memory may be accessed
UNIX File Access Control
UNIX files are administered using inodes (index
nodes)
• Control structures with key information needed for a particular file
• Several file names may be associated with a single inode
• An active inode is associated with exactly one file
• File attributes, permissions and control information are sorted in the
inode
• On the disk there is an inode table, or inode list, that contains the
inodes of all the files in the file system
• When a file is opened its inode is brought into main memory and
stored in a memory resident inode table

Directories are structured in a hierarchical tree

• May contain files and/or other directories

• Contains file names plus pointers to associated inodes
 UNIX
File Access Control
rw- r- - ---

 Unique user identification user : : rw

gr oup: : r - -
-

ot her : : - - -

number (user ID) (a) Traditional UNIX approach (minimal access control list)

 Member of a primary group

identified by a group ID rw- rw- ---
user : : rw -

 Belongs to a specific group masked

entries
user : j
gr oup:
oe: r w
: r- -
-

mask: : rw -

 12 protection bits
ot her : :---
(b) Extended access control list

 Specify read, write, and Figure4.5 UNIX FileAccess Control

execute permission for the

owner of the file, members of
the group and all other users
 The owner ID, group ID, and
protection bits are part of the
file’s inode
 Traditional UNIX
File Access Control
 “Set user ID”(SetUID)
 “Set group ID”(SetGID)
 System temporarily uses rights of the file owner/group in
addition to the real user’s rights when making access
control decisions
 Enables privileged programs to access files/resources
not generally accessible
 Sticky bit
 When applied to a directory it specifies that only the
owner of any file in the directory can rename, move, or
delete that file
 Superuser
 Is exempt from usual access control restrictions
 Has system-wide access
 Access Control Lists (ACLs)
in UNIX
Modern UNIX systems support ACLs

• FreeBSD, OpenBSD, Linux, Solaris

FreeBSD
• Setfacl command assigns a list of UNIX user IDs and groups
• Any number of users and groups can be associated with a file
• Read, write, execute protection bits
• A file does not need to have an ACL
• Includes an additional protection bit that indicates whether the file has an extended ACL

When a process requests access to a file system object two steps are
performed:
• Step 1 selects the most appropriate ACL
• Step 2 checks if the matching entry contains sufficient permissions
 rw- r- - ---
user : : r w -
gr oup: : r - -
ot her : : - - -

(a) Traditional UNIX approach (minimal access control list)

rw- rw- ---

user : : rw-
masked user : j oe: r w-
entries gr oup: : r- -
mask: : rw -
ot her : :---
(b) Extended access control list

Figure4.5 UNIX FileAccess Control

Users Roles Resources

Role1

Role2

Role3

Figure4.6 Users, Roles, and Resources

 R1 R2 Rn

U1

U2

U3

U4

U5

U6

Um

OBJ ECTS
R1 R2 Rn F1 F1 P1 P2 D1 D2

control owner owner read * read

R1 wakeup wakeup seek owner
control owner

R2 control write* execute owner seek *

ROLES

Rn control write stop

Figure4.7 Access Control Matrix Representation of RBAC

 RBAC3
Consolidated model

RBAC1 RBAC2
Rolehierarchies Constraints

RBAC0
Basemodel

(a) Relationship among RBAC models

(RH) Role
Hierarchy Oper-
ations

(UA) User (PA) Permission

Assignment Assignment
Users Roles
Permissions

user_sessions session_roles

Objects

Sessions

(b) RBAC models

Figure4.8 A Family of Role-Based Access Control Models.

 Table 4.3
Scope RBAC Models
 Director

Project Lead 1 Project Lead 2

Production Quality Production Quality

Engineer 1 Engineer 1 Engineer 2 Engineer 2

Engineer 1 Engineer 2

Engineering Dept

Figure4.9 Example of RoleHierarchy

 Constraints - RBAC
• Provide a means of adapting RBAC to the
specifics of administrative and security policies of
an organization
• A defined relationship among roles or a condition
related to roles
• Types:
Mutually exclusive
Cardinality Prerequisite roles
roles
• A user can only be • Setting a maximum • Dictates that a user
assigned to one role number with can only be
in the set (either respect to roles assigned to a
during a session or particular role if it is
statically) already assigned to
• Any permission some other
(access right) can specified role
be granted to only
one role in the set
 Attribute-Based Access
Control (ABAC)

Main obstacle to
its adoption in Web services
real systems has have been
Can define been concern pioneering
There is
authorizations about the technologies
considerable
that express Strength is its performance through the
interest in
conditions on flexibility and impact of introduction of
applying the
properties of expressive power evaluating the eXtensible
model to cloud
both the resource predicates on Access Control
services
and the subject both resource Markup
and user Language
properties for (XAMCL)
each access
 ABAC Model: Attributes
Subject Object Environment
attributes attributes attributes
• A subject is an • An object (or • Describe the
active entity that resource) is a operational,
causes information passive information technical, and even
to flow among system-related situational
objects or changes entity containing or environment or
the system state receiving context in which
information the information
• Attributes define access occurs
the identity and • Objects have • These attributes
characteristics of attributes that can have so far been
the subject be leverages to largely ignored in
make access most access
control decisions control policies
 ABAC
Relies upon the
Distinguishable because evaluation of attributes
of the subject, attributes
it controls access to
of the object, and a
objects by evaluating
formal relationship or
rules against the
access control rule
attributes of entities,
defining the allowable
operations, and the
operations for subject-
environment relevant to
object attribute
a request
combinations in a given
environment

Allows an unlimited
Systems are capable of
number of attributes to
enforcing DAC, RBAC,
be combined to satisfy
and MAC concepts
any access control rule
 Access Control
Policy
Environmental
Conditions

2a
2d

Rules

1
Enforce
Decision
3
Object
Access Control
2b Mechanism
Subject
2c

Clearance
Name Owner
Type
Affiliation
Etc.
Etc. Classification

Subject Attributes
ObjectAttributes

Figure4.10 SimpleABAC Scenario

 Proper
Credential Issuance
Identity
Credential
Credential Validation

Strength of
Credential Protection
Access Control Access Control
Subject Authentication Object
Decision Enforcement

Network Object Access Rule Enforcement

Physical Authentication
Access Access Provisioning
Network
Credential Group Management
Digital Identity
Network Access Provisioning Access Control List

(a) ACL Trust Chain

Identity Subject Object

Credential Attributes Attributes
Proper
Credential Issuance Authoritative Subject Authoritative
Attribute Stores Object Attributes
Credential Validation Attribute Provisioning Common Object
Common Subject Attribute Taxonomy
Strength of
Attribute Taxonomy
Credential Protection
Attribute Integrity Attribute Integrity

Access Control Access Control

Subject Authentication Object
Decision Enforcement

Network Object Access Rule Enforcement

Physical Authentication
Access Access Provisioning
Network
Credential Group Management
Digital Identity
Network Access Provisioning Rules

(b) ABAC Trust Chain

Figure4.11 ACL and ABAC Trust Relationships

 ABAC Policies
A policy is a set of rules and relationships that govern allowable behavior
within an organization, based on the privileges of subjects and how
resources or objects are to be protected under which environment
conditions

Privileges represent the authorized behavior of a subject

Typically and are defined by an authority and embodied in a policy
written
from the
perspectiv
e of the
object that
needs
protecting
and the Other terms commonly used instead of privileges are: rights,
privileges authorizations, and entitlements
available
to subjects
 Identity, Credential, and
Access Management (ICAM)
• A comprehensive approach to managing and
implementing digital identities, credentials, and
access control
• Developed by the U.S. government
• Designed to:
o Create trusted digital identity representations of individuals and
nonperson entities (NPEs)
o Bind those identities to credentials that may serve as a proxy for the
individual of NPE in access transactions
• A credential is an object or data structure that authoritatively binds
an identity to a token possessed and controlled by a subscriber
o Use the credentials to provide authorized access to an agency’s
resources
 Credential Management Identity Management

Background
Sponsorship Enrollment Investigation On-boarding

Credential
Issuance Production AuthoritativeAttribute Sources

Credential Digital Identity

Lifecycle Lifecycle
Management Management

Provisioning/Deprovisioning
External
Agency

Resource Privilege Policy

Stateor Local
Management Management Management
Government

Business Physical Logical

Partner Access Access

Citizen
Access Management

Identity Federation

Figure4.12 Identity, Credential, and Access Management (ICAM)

Identity Management
Concerned with assigning attributes to a
digital identity and connecting that digital
identity to an individual or NPE

Goal is to establish a trustworthy digital

identity that is independent of a specific
application or context

Most common approach to access control for

applications and programs is to create a
digital representation of an identity for the
specific use of the application or program

Maintenance and protection of the identity

itself is treated as secondary to the mission
associated with the application

• Mechanisms, policies, and procedures for protecting

personal identity information
Final element is lifecycle management which • Controlling access to identity data
includes: • Techniques for sharing authoritative identity data with
applications that need it
• Revocation of an enterprise identity
Credential Management
The management of the Encompasses five logical
life cycle of the credential components:

Examples of credentials are smart cards, An authorized individual sponsors an individual

private/public cryptographic keys, and digital or entity for a credential to establish the need for
certificates the credential

The sponsored individual enrolls for the credential

• Process typically consists of identity proofing and the capture of
biographic and biometric data
• This step may also involve incorporating authoritative attribute
data, maintained by the identity management component

A credential is produced
• Depending on the credential type, production may involve
encryption, the use of a digital signature, the production of a
smart card or other functions

The credential is issued to the individual or NPE

A credential must be maintained over its life cycle

• Might include revocation, reissuance/replacement, reenrollment,
expiration, personal identification number (PIN) reset,
suspension, or reinstatement
Access Management
Deals with the management
and control of the ways Covers both logical and
entities are granted access to physical access
resources

Purpose is to ensure that the

proper identity verification is
May be internal to a system made when an individual
or an external element attempts to access a security
sensitive building, computer
systems, or data

Three support elements are

needed for an enterprise-
wide access control facility:
• Resource management
• Privilege management
• Policy management
Three support elements are needed for an
enterprise-wide access control facility:
Resource management

• Concerned with defining rules for a resource that requires access control
• Rules would include credential requirements and what user attributes,
resource attributes, and environmental conditions are required for access of
a given resource for a given function

Privilege management

• Concerned with establishing and maintaining the entitlement or privilege

attributes that comprise an individual’s access profile
• These attributes represent features of an individual that can be used as the
basis for determining access decisions to both physical and logical
resources
• Privileges are considered attributes that can be linked to a digital identity

Policy management

• Governs what is allowable and unallowable in an access transaction

 Identity Federation
• Term used to describe the technology, standards,
policies, and processes that allow an organization
to trust digital identities, identity attributes, and
credentials created and issued by another
organization
• Addresses two questions:
o How do you trust identities of individuals from external
organizations who need access to your systems
o How do you vouch for identities of individuals in your
organization when they need to collaborate with
external organizations
 Identity (Possible contract)
Service Relying
Provide r Party

Users

(a) Traditional triangleof parties involved in an exchange of identity information

Trust Framework
Providers

AttributeProviders
Identity
Service AttributeExchange
Network Relying
Providers
Parties

Assessors Dispute
& Auditors Resolvers

Users

(B) Identity attribute exchange elements

Figure4.13 Identity Information Exchange Approaches

I den t ity (Possible contract)

S er vi ce Rely in g
P rov id e r Pa rt y

U s
e rs

(a) Traditional triangle of partiesinvolvedin anexchange of identity information

Trust Fra mew or k

Prov iders

A ttr i
b u te Providers
Ide n t ity
S erv ic e Attrib ut e Ex chang e
N et wo rk Relyin g
Pr ov id ers
Par ties

A ssess ors Disp ute

& Au dito rs Res olvers

Users

(B) Identity attribute exchange elements

Figure 4.13 Identity Information Exchange Approaches

 Open Identity Trust
Framework
OpenID OIDF ICF
• An open standard that allows users • OpenID Foundation is an • Information Card Foundation is a
to be authenticated by certain international nonprofit organization nonprofit community of companies
cooperating sites using a third party of individuals and companies and individuals working together to
service committed to enabling, promoting, evolve the Information Card
and protecting OpenID technologies ecosystem

OITF OIX AXN

• Open Identity Trust Framework is a • Open Identity Exchange Corporation • Attribute Exchange Network is an
standardized, open specification of a is an independent, neutral, online Internet-scale gateway for
trust framework for identity and international provider of certification identity service providers and
attribute exchange, developed jointly trust frameworks conforming to the relying parties to efficiently access
by OIDF and ICF OITF model user asserted, permissioned, and
verified online identity attributes in
high volumes at affordable costs
 Identity (Possiblecontract)
Service Relying
Provider Party

Users

(a) Traditional triangleof parties involved in an exchangeof identity information

Trust Framework
Providers

AttributeProviders
Identity
Service AttributeExchange
Network Relying
Providers
Parties

Assessors Dispute
& Auditors Resolvers

Users

(B) Identity attributeexchangeelements

Figure4.13 Identity Information Exchange Approaches

 Table 4.4
Functions and Roles for Banking Example
 Table 4.4
Functions and Roles for Banking Example
Human Resources Department Application Administration

Roles
User
IDs Functions
1 1-4 N M Access
Application
Right
Assigns
Positions

Authorization Administration

N M
Role Application

Figure4.14 Exampleof Access Control Administration

 Summary
• Access control principles • Attribute-based
o Access control context access control
o Access control policies o Attributes
• Subjects, objects, and o ABAC logical architecture
o ABAC policies
access rights
• Identity, credential,
• Discretionary access
and access
control
o Access control model
management
o Identity management
o Protection domains
o Credential management
• UNIX file access control o Access management
o Traditional UNIX file access o Identity federation
control
o Access control lists in UNIX
• Trust frameworks
o Traditional identity
• Role-based access exchange approach
o Open identity trust
control framework
o RBAC reference models
• Bank RBAC system