You
work as an administrator for Techraft Inc. Employees of your company create ‘products’, which are
supposed to be given different levels of access.
You need to configure a security policy in such a way that an employee (producer of the product)
grants accessing privileges (such as read,
write, or alter) for his product.
Which of the following access control models will you use to accomplish this task?
A.
Discretionary access control (DAC)
B.
Role-based access control (RBAC)
C.
Mandatory access control (MAC)
D.
Access control list (ACL)
Explanation:
Discretionary access control (DAC) is an access policy determined by the owner of an
object. The owner decides who is allowed to access the
object and what privileges they have.
Two important concepts in DAC are as follows:
File and data ownership: Every object in the system has an owner. In most DAC systems, each
object’s initial owner is the subject that
caused it to be created. The access policy for an object is determined by its owner.
Access rights and permissions: These are the controls that an owner can assign to other subjects for
specific resources.
Access controls may be discretionary in ACL-based or capability-based access control systems.
Note: In capability-based systems, there is no explicit concept of owner, but the creator of an object
has a similar degree of control over its
access policy.
Answer option C is incorrect. Mandatory Access Control (MAC) is a model that uses a predefined set
of access privileges for an object of the
system. Access to an object is restricted on the basis of the sensitivity of the object and granted
through authorization. Sensitivity of an
object is defined by the label assigned to it. For example, if a user receives a copy of an object that is
marked as “secret”, he cannot grant
permission to other users to see this object unless they have the appropriate permission.
Answer option D is incorrect. An access control list (ACL) is an ordered list of access control entries
(ACEs). Each ACE identifies a trustee and
specifies a set of access rights allowed, denied, or audited for that trustee. A security descriptor of
an object contains two ACL types. They are
as follows:
Discretionary Access Control List (DACL): It identifies a specified trustee that is allowed or denied
access to a securable object.
System Access Control List (SACL): It enables an administrator to log attempts for accessing a
secured object.Answer option B is incorrect. Role-based access control (RBAC) is an access control model. In this
model, a user can access resources
according to his role in the organization. For example, a backup administrator is responsible for
taking backups of important data. Therefore,
he is only authorized to access this data for backing it up. However, sometimes users with different
roles need to access the same resources.
This situation can also be handled using the RBAC model.