Scribd
Upload
2 views

Access Control

Access control is a security mechanism that regulates who can access resources and what actions they can perform, crucial for data protection and network security. The document outlines various types of access control including Discretionary, Mandatory, Role-Based, Attribute-Based, and Rule-Based Access Control, each with distinct characteristics and use cases. It emphasizes the importance of access control for maintaining security, integrity, and confidentiality of data.

Uploaded by

nielpaguirigan14
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Access Control

Access control is a security mechanism that regulates who can access resources and what actions they can perform, crucial for data protection and network security. The document outlines various types of access control including Discretionary, Mandatory, Role-Based, Attribute-Based, and Rule-Based Access Control, each with distinct characteristics and use cases. It emphasizes the importance of access control for maintaining security, integrity, and confidentiality of data.

Uploaded by

nielpaguirigan14
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

Introduction to Access

Control
Access Control
• Access control is a security mechanism that determines who or what
can access specific resources in a system and what actions they can
perform.
• It’s all about managing permissions to protect data and prevent
unauthorized access — crucial for both software development and
network security.
Types of Access Control:
1. Discretionary Access Control (DAC)
The owner of a resource decides who gets access.
Example: File permissions in Windows, where you can choose who can
read, write, or execute your files.
2. Mandatory Access Control (MAC)
Access is controlled by strict policies defined by the system, not the
user.
Example: Military or government systems with classified information.
Types of Access Control:
3. Role-Based Access Control (RBAC)
Access is granted based on the user's role (like Admin, User, or
Guest).Example: In a web app, only admins can delete users, while
regular users can only view data.
4. Attribute-Based Access Control (ABAC)
Access is based on attributes of the user, resource, or environment.
Example: A healthcare system might allow access to patient records
only during office hours and only for authorized doctors.
5. Rule-Based Access Control
Why Access Control is Important
Security: Prevent unauthorized access to sensitive data.
Integrity: Ensure data isn’t modified in unintended ways.
Confidentiality: Restrict access to confidential information.
Maintainability: Keep code organized and reduce accidental
interference.
Discretionary Access Control (DAC)
• Discretionary Access Control (DAC) is a type of access control where the
owner of a resource decides who can access it and what they can do with
it. It’s called "discretionary" because access is granted at the owner’s
discretion.
• Key Characteristics of DAC:
Owner-Controlled: The owner of a file, folder, or object can assign
permissions.
Flexible but Risky: Users can share access, which makes it flexible but may
introduce security risks if not carefully managed.
Identity-Based: Access decisions are based on user identities and their
assigned permissions.
Discretionary Access Control (DAC)
if ($userRole == "admin")
{ echo "Access granted!"; }
else
{ echo "Access denied!"; }
• Drawbacks of DAC:
Less Secure: Users might accidentally (or intentionally) give
access to malicious users.
No Centralized Control: Security depends on individual owners,
not a system-wide policy.

• When to Use DAC:


Personal systems or small teams where flexibility is more important
than strict security.
Systems where users should have the freedom to control their own
files or resources.
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Mandatory Access Control (MAC)
Mandatory Access Control (MAC)
Mandatory Access Control (MAC)
Mandatory Access Control (MAC)
Clark-Wilson Model
// Define security levels
HIGH = 3
MEDIUM = 2
LOW = 1

// Define objects with security labels


Object file1 = { name: "TopSecretFile", securityLevel: HIGH }
Object file2 = { name: "ConfidentialReport", securityLevel: MEDIUM }

// Define users with security clearance


User admin = { name: "AdminUser", clearanceLevel: HIGH }
User employee = { name: "EmployeeUser", clearanceLevel: MEDIUM }
User intern = { name: "InternUser", clearanceLevel: LOW }

// Function to check access


Function checkAccess(user, object):
If user.clearanceLevel >= object.securityLevel Then
Print "Access Granted to " + object.name
Else Print "Access Denied to " + object.name
End If
End Function
// Test access control
checkAccess(admin, file1) // Access Granted
checkAccess(employee, file1) // Access Denied
checkAccess(employee, file2) // Access Granted
checkAccess(intern, file2) // Access Denied
Role-Based Access Control
Role-Based Access Control
Role-Based Access Control
Role-Based Access Control
Role-Based Access Control
Role-Based Access Control
Role-Based Access Control
// Define roles and their permissions
Role admin = { "create", "read", "update", "delete" }
Role editor = { "read", "update" }
Role viewer = { "read" }

// Define users and assign roles


User user1 = { name: "Alice", role: admin }
User user2 = { name: "Bob", role: editor }
User user3 = { name: "Charlie", role: viewer }
// Function to check access

Function checkAccess(user, action):


If action IN user.role.permissions Then
Print user.name + " is allowed to " + action
Else
Print user.name + " is NOT allowed to " + action
End If
End Function

// Test access control


checkAccess(user1, "delete") // Alice is allowed to delete
checkAccess(user2, "create") // Bob is NOT allowed to create
checkAccess(user3, "read") // Charlie is allowed to read
checkAccess(user3, "update") // Charlie is NOT allowed to update
Rule-Based Access Control

In RuBAC, access decisions are made based on a set of predefined rules.


These rules follow an if-then structure.
•Example Rule: If the user’s IP address is from the company network, allow
access.
•Example Use Case: Firewall rules, access allowed only during business hours.
If user.IP == "192.168.1.1" AND time >= 9:00 AND time <= 17:00
Then Allow Access
Else Deny Access
End If
Attribute-Based Access Control
• In ABAC, access is based on attributes of the user, resource, or
environment. It’s more dynamic and flexible!
• Example Attributes: User role, department, location, device type,
time of access.
• Example Use Case: A doctor can access patient records, but only for
patients in their department.
Attribute-Based Access Control
Attribute-Based Access Control
// Define attributes for users
User doctor = { role: "Doctor", department: "Cardiology", location: "Hospital" }
User nurse = { role: "Nurse", department: "Pediatrics", location: "Hospital" }
User admin = { role: "Admin", department: "IT", location: "Remote" }

// Define attributes for resources


Resource patientRecord = { type: "PatientRecord", department: "Cardiology", sensitivity: "High" }
Resource serverLogs = { type: "ServerLogs", department: "IT", sensitivity: "Critical" }

// Define environment attributes


Environment currentTime = "14:00”
Environment allowedHours = { start: "09:00", end: "17:00" }

// Function to check access


Function checkAccess(user, resource, environment):
If user.role == "Doctor" AND user.department == resource.department AND environment.currentTime BETWEEN environment.allowedHours.start
AND environment.allowedHours.end
Then Print user.role + " is allowed to access " + resource.type
Else If user.role == "Admin" AND resource.type == "ServerLogs”
Then Print user.role + " is allowed to access " + resource.type Else Print "Access Denied for " + user.role + " to " + resource.type
End If
End Function

// Test access control


checkAccess(doctor, patientRecord, { currentTime: "14:00" }) // Access Granted
checkAccess(nurse, patientRecord, { currentTime: "14:00" }) // Access Denied
checkAccess(admin, serverLogs, { currentTime: "20:00" }) // Access Granted
checkAccess(doctor, serverLogs, { currentTime: "14:00" }) // Access Denied
Activity
• Identify User Roles:
Admin
Editor
Viewer
HR Manager
IT Support
• Define Permissions:
List possible actions users might want to perform, such as:
• Create content
• Read content
• Update content
• Delete content
• Access user data
• Change system settings
Activity

turn the logic into code


Activity

You might also like