Today we discuss the paper on the Study of the Access Control Model in information security by Qing hai, Ying et al. This paper compares and contrasts different access control mechanism, models and instruments specifically access control lists, access control capabilities list, mandatory access control policy, role-based control model and access control in Grid environment. They discuss this in the context of network security. Access control here is about the principals involved, their access and the permissions associated with a resource. The paper talks about three different modes, the discretionary access control (DAC), the mandatory access control (MAC) and the role based access control model (RBAC). DAC permits legal users to access the regulated objects by the identity of the user or user group. In addition users may delegate their authority to other users in a discretionary manner. This used to exist on all flavors of UNIX, NT/Server etc. The system used to identify the user and then limit access to resources that the user can have access to.The resources that the user can access can be change by any member of a privileged user group. It is implemented using an access control matrix, an access control list, and an access control capabilities list. The access control matrix is a two-dimensional matrix representing principals such as users, programs and user-agents versus the resources such as documents and services.The cells are filled with authorization permission. This matrix is very flexible to implement DAC. At the same time it suffers from the downsides that it cannot be transmitted and it may affect performance if its size is too big. Space and speed may degrade as the matrix grows. An Access Control List is a linked list of permissions for each principal against a resource. This is probably the most prevalent mechanism and it is simple, convenient and practical. An Access Control Capabilities list is also a linked list that subjoins the users list with the objects list so that for a given user, its ACCL describes the objects it has permissions to. Note that ACL was about an object and the users that have access to it. An ACCL determines the capabilities of a user. Capability can be transferred. The capabilities list is generally considered insecure because by transferring capabilities the resource is not consulted and may lead to unauthorized access of a resource. Both lists suffer from the problem that they can grow to be arbitrarily large depending on the number of users and resources.
No comments:
Post a Comment