This document discusses various access control models and concepts. It begins by defining access control as the prevention of unauthorized use of resources, controlling who can access a resource, under what conditions, and what they are allowed to do. It then covers different access control models and concepts in detail including access control matrices, access control lists, capabilities, role-based access control (RBAC), mandatory access control (MAC), and separation of duty constraints. RBAC is described as defining roles and associated permissions rather than assigning permissions directly to users. Hierarchical and static/dynamic separation of duty extensions to the core RBAC model are also summarized.

1. Information Security
Week No 13
BSDS/AI 3rd Semester
Access Control
1

2. Compromise recording
• This principle states that sometimes it is more
desirable to record the details of an intrusion
than to adopt more sophisticated measures to
prevent it.
– Internet-connected surveillance cameras are a typical
example of an effective compromise record system
that can be deployed to protect a building in lieu of
reinforcing doors and windows.
– The servers in an office network may maintain logs for
all accesses to files, all emails sent and received, and
all web browsing sessions.
2

3. Topic: 2. Access Control
• Users and groups
• Authentication
• Passwords
• File protection
• Access control lists
• Which users can
read/write which files?
• Are my files really safe?
• What does it mean to be
root?
• What do we really want
to control?
12/12/2022 Introduction 3

4. Cont.
Access control
prevention of the unauthorized use of a
resource, that is this service controls
- who can have access to a resource
- under what condition access can occur
- and what those accessing are allowed to
do
4

5. Access Control Matrices
• A table that defines permissions.
– Each row of this table is associated with a subject, which is
a user, group, or system that can perform actions.
– Each column of the table is associated with an object,
which is a file, directory, document, device, resource, or
any other entity for which we want to define access rights.
– Each cell of the table is then filled with the access rights for
the associated combination of subject and object.
– Access rights can include actions such as reading, writing,
copying, executing and deleting.
– An empty cell means that no access rights are granted.
5

6. Example Access Control Matrix
6
• Adv:
– Fast and easy determination for access control rights
– Provide a simple visual way
• Disadv:
– What will happen when it grow
– n subject, m object then n.m cells
– Server have 1000 subjects (users) and 1,000,000
objects (which are files and folders)

7. Access Control Lists
• It defines, for each object, o, a list, L, called o’s access
control list, which enumerates(Computes) all the
subjects that have access rights for o and, for each
such subject, s, gives the access rights that s has for
object o.
7
/etc/passwd /usr/bin/ /u/roberto/ /admin/
root: r,w,x
backup: r,x
root: r,w,x
roberto: r,w,x
backup: r,x
root: r,w,x
mike: r,x
roberto: r,x
backup: r,x
root: r,w
mike: r
roberto: r
backup: r

8. Cont.
• Advantage:
– Less size as compare to access control matrices
• Size of ACL is proportional to No. of non empty cell in ACM
– ACL of the object is store as metadata with its object
• System only need to consult the ACL of that object
• Disadvantage:
– Do not provide the efficient way to see the access
control right of a given subject,
• Each object’s list must be accessed
8

9. Capabilities
• Takes a subject-centered
approach to access
control.
• It defines, for each
subject s, the list of the
objects for which s has
nonempty access control
rights with specific right
9
/etc/passwd: r,w,x; /usr/bin: r,w,x;
/u/roberto: r,w,x; /admin/: r,w,x
root
/usr/passwd: r; /usr/bin: r;
/u/roberto: r,w,x
roberto
/usr/passwd: r; /usr/bin: r,x
mike
backup
/etc/passwd: r,x; /usr/bin: r,x;
/u/roberto: r,x; /admin/: r,x

10. Cont.
• Same advantage in space over access control
matrix as the access control list
• Easy for admin to quickly determine access
right for a give subject
• When s request for o, system need to read
only the capabilities of s
• The only way to determine the access right of
object o is to search all the capabilities
10

11. Role-based Access Control
• Define roles and then specify access control
rights for these roles, rather than for subjects
directly.
11
Department
Member
Administrative
Personnel
Accountant Secretary
Administrative
Manager
Faculty
Lab
Technician
Lab
Manager
Student
Undergraduate
Student
Graduate
Student
Department
Chair
Technical
Personnel
Backup
Agent
System
Administrator
Undergraduate
TA
Graduate
TA

12. Mandatory Access Control (MAC)
12
Unclassified
Confidential
Secret
Top Secret
can-flow
dominance
Labeling Mechanism is used
Military Security
Require a strict classification of
subjects and objects in security levels
Drawback of being too rigid
Applicable only to very few
environments
Prevent any illegal flow of
information through the
enforcement of multilevel security
Adopted from : Role-Based Access Control by Prof.Ravi Sandhu

13. Compartments and Sensitivity Levels
Unclassified
Restricted
Confidential
Secret
Top Secret
Compartment 1
Compartment 3
Compartment 2
• Information access is limited by the need-to-know
• Compartment: Each piece of classified information
may be associated with one or more projects called
compartments

14. Classification & Clearance
• <rank; compartments>
– class of a piece of information
• Clearance: an indication that a person is
trusted to access information up to a certain
level of sensitivity
• <rank; compartments>
– clearance of a subject

15. Dominance Relation
• We say that s dominates o (or o is dominated
by s) if o <= s
For a subject s and an object o,
o <= s if and only if
rank(o) <= rank(s) and
compartments(o) is subset of compartments(s)
• A subject can read an object if the subject
dominates the object.

16. Example
• Information classified as <secret; {Sweden}>
• Which of the following subject clearances can
read the above information?
– <top secret; {Sweden}>
– <secret; {Sweden, crypto}>
– <top secret; {crypto}>
– <confidential; {Sweden}>
– <secret; {France}>

17. Role-Based
Access
Control
(RBAC)

18. Access
Control
Matrix

19. Role-Based Access Control
ROLES
Usrer-Role
Assignment
Permission-Role
Assignment
USERS PERMISSIONS
...
Sessions
Role Hierarchies
• Users are human beings or other active agents
• Business function the user perform is role
• A user can be a member of many roles
• Each role can have many users as members
• A user can invoke multiple sessions
• In each session a user can invoke any subset
of roles that the user is a member of
• A permission can be assigned to
many roles
• Each role can have many
permissions
‐ read, write, append, execute
Health-Care Provider
Physician
Primary-Care
Physician
Specialist
Physician
Adopted from : Role-Based Access Control by Prof.Ravi Sandhu

20. Role-Based Access Control

21. Scope RBAC Models

22. Example of Role Hierarchy

23. Constraints - RBAC
• provide a means of adapting RBAC to the
specifics of administrative and security
policies of an organization
• a defined relationship among roles or a
condition related to roles
mutually exclusive
roles
• a user can only be
assigned to one role in
the set (during a
session or statically)
• any permission can be
granted to only one
role in the set
cardinality
• setting a maximum
number with respect
to roles
prerequisite roles
• dictates that a user
can only be assigned
to a particular role if it
is already assigned to
some other specified
role

24. RBAC System
administrative
functions
• provide the
capability to
create, delete, and
maintain RBAC
elements and
relations
supporting
system
functions
• provide functions
for session
management and
for making access
control decisions
review
functions
• provide the
capability to
perform query
operations on
RBAC elements
and relations

25. NIST RBAC Basic Definitions
• object
– any system resource subject to access control,
such as a file, printer, terminal, database record
• operation
– an executable image of a program, which upon
invocation executes some function for the user
• permission
– an approval to perform an operation on one or
more RBAC protected objects

26. NIST RBAC Model

27. Core RBAC
administrative
functions
• add and delete
users from the set
of users
• add and delete
roles from the set
of roles
• create and delete
instances of user-
to-role assignment
• create and delete
instances of
permission-to-role
assignment
supporting
system functions
• create a user
session with a
default set of active
roles
• add an active role
to a session
• delete a role from a
session
• check if the session
subject has
permission to
perform a request
operation on an
object
review functions
• enable an
administrator to
view but not modify
all the elements of
the model and their
relations

28. Hierarchical RBAC
general role
hierarchies
allow an arbitrary partial ordering of
the role hierarchy
supports multiple inheritance,
in which a role may inherit
permissions from multiple
subordinate roles and
more than one role can inherit from
the same subordinate role
limited role
hierarchies
impose restrictions resulting in a
simpler tree structure
role may have one or more
immediate ascendants
but is restricted to a single
immediate descendant

29. Static Separation of Duty
• enables the definition of a set of mutually exclusive
roles,
– if a user is assigned to one role in the set, the user may not be
assigned to any other role in the set
• can place a cardinality constraint on a set of roles
– defined as a pair (role set, n) where no user is assigned to n or
more roles from the role set
• includes administrative functions for creating and
deleting role sets and adding and deleting role members
• includes review functions for viewing the properties of
existing SSD sets

30. Dynamic Separation of Duty
• limit the permissions available to a user
– places constraints on the roles that can be activated within
or across a user’s sessions
• define constraints as a pair (role set, n) with the
property that no user session may activate n or more
roles from the role set
– where n is a natural number n ≤ 2
• enables the administrator to specify certain
capabilities for a user at different, time spans
• includes administrative and review functions for
defining and viewing DSD relations

31. Task Based Access Control
31
P – Permission
S – Subject
O – Object
A – Actions
U – Usage and Validity Counts
AS – Authorization step
• Active Security Model
• Dynamic authorization gives
flexibility
• No Roles Involved
• Constraints for this model is still
under study
• For each authorization step consumes permission, usage count is
incremented
• Usage Count reaches its limit, the associated permission is
deactivated
Adopted from Source: Task based authorization controls by R.S.Sandhu and R.K.Thomas
Classical subject-object access control P S x O x A

TBAC view of access control P S x O x A x U x AS

TBAC extensions

32. TBAC with Constraints
32
Users
Alice
Bob
Tasks
Check Patient
Do Physical Exam
Non-
Workflow
Workflow
Start
Do Physical
Exam (T1)
Check
Patient
(T2)
Perform Lab
Test (T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
Out Patient Workflow
Non-Workflow
View Current
Patient List

33. TBAC with Constraints
33
Non-
Workflow
Workflow
Task
Instances
Check Patient task
Permissions
Objects –
Health Records
or Files.
Operations –
Read, Update,
Write, Copy,
Print etc
Alice Check Patient Josh
Bob Check Patient Grace
Task Instance 1
Task Instance 2

34. Constraints
34
Users are not given more permission than is
necessary to perform their duties
Constraints
User Instance
Tasks Permissions
Task constraints – Least Privilege
Achieved through task instances
Alice Check Patient Josh
Access Permissions starts when the instance is initiated
Access Permissions end when the instance is completed or revoked
Fine Grained Access Control
Initiated
Active
Completed Revoked
status

35. Static and Dynamic Separation of Duty
35
No single individual can execute all tasks within the workflow
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5) End
Start
Alice Check Patient Josh
Task Instance 1
Protects against fraudulent activities of users
Static SOD - Defining the tasks in workflow or non workflow govern the
administration or design-time associations between users and permissions.
Dynamic SOD - permissions or task instances are granted at run-time.
Nurse Physician Technician Physician

36. Delegation of Tasks
36
Initially assigned user is not available to complete the task
Supervisor can delegate task to another junior user in the same hierarchy
Access rights revoked once the task is completed
Alice Check Patient Josh
Task Instance
Physician
(Alice)
Physician
(Bob)
Senior
Physician
(Jan)
Bob Check Patient Josh
Task Instance
Jan can delegate task to Bob

37. Spatial and Temporal Constraints
• Accessed from anywhere and at anytime
– User’s location and time is taken into
consideration for granting access to a task
37
Family Practice
Physician
Nurse
Location
Constraint
(Reno Office)
Time
Constraint
(8 - 5)
Tasks

38. Passive and Active Access Control
38
Start
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
Workflow
Physician Write
Prescription
View Current
Patient List
File 2
File 1
Read
Write
Passive Access
Active Access

39. Classification of Tasks
Non-Inheritable Inheritable
Passive Access Control Private Supervision
Active Access control Workflow Approval
39
Class
Private
Class
Supervision
Start
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
View Current
Patient List
Family Practice
Physician
(Alice)
Senior
Physician
(Jan)
Workflow
Diagnosis
Details

40. Class Workflow
Class Approval
Classification of Tasks
40
Start
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
Workflow
Check Patient
Family Practice
Physician
(Alice)
Senior
Physician
(Jan)
Physician
(Alice)
Physician
(Bob)
Senior
Physician
(Jan) Same Hierarchy

41. Functions and Roles for Banking Example
(a) Functions
and
Official
Positions

42. Functions and Roles for Banking Example
(b) Permission
Assignments

43. Functions and Roles for Banking Example
(c) Permission
Assignment
with
Inheritance

44. Example of Access Control Administration

45. Summary
• access control
– prevent unauthorized users from gaining access to resources
– prevent legitimate users from accessing resources in an unauthorized
manner
– enable legitimate users to access resources
– subjects, objects, access rights
– authentication, authorization, audit
• discretionary access controls (DAC)
– controls access based on identity
• mandatory access control (MAC)
– controls access based on security labels
• role-based access control (RBAC)
• controls access based on roles