Access control is designed to allow, deny, restrict, and revoke access to resources through identification, authentication, and authorization. When discussing data access management, we must first understand physical and logical access. Physical access refers to buildings, devices, and documents, while logical access refers to computer or system access.

Access Management Concepts

Let’s take a closer look at security and identity management concepts that are included in some IDENTITY management association certification programs and exams.

identity

Identification is a way of ensuring that a subject (user, program, or process) is the entity it claims to be.

The authentication

Authentication is the process of verifying identity by comparing the credentials provided by an entity with the entity information stored on the system.

authorization

Authorization occurs after the identification and authentication of entities to determine what actions they are allowed to perform. Authorization is achieved through the use of access control.

Principle of least privilege

The principle of least privilege states that we should only allow minimal access to one entity, which can be a user, device, account, or process that enables it to perform the desired function. The concept also applies to computer services that may be granted more access and functionality than is needed to run the system through improper programming.

Separation of responsibilities

The principle of separation of responsibilities is the mechanism of separation of responsibilities and authority between business departments and business operators. The main aim is to prevent exploitation and fraud by allowing two people to complete a task. For example, to ensure security when transferring money online, the system might require two people to enter the system and approve the transaction.

Access control list

An access control list or ACL is a file, usually a computer file system, that attaches permissions to objects or entities. Acls specify which users or system processes are granted access to objects and which operations are allowed on the objects. Each entry in a typical ACL specifies a topic and an action. For example, if a file object has a contain (Alice:read, write; Bob: Read), which grants Alice permission to read and write the file, while Bob only reads it.

function

If acLs define permissions for a given identity and set of permissions, functional-based access provides an alternative way to grant access solely based on what we have (such as a token, pass, or password). In a function-based system, applications can share tokens that define their access levels with other applications.

Access control method

According to the access control method, access can be granted based on what we know, owns and exists.

For example, what we know is a password or token, what we have is a pass, and what’s always there is a fingerprint or other biometric data.

Access control model

Common access control models include: autonomous access control, mandatory access control, role-based access control and attribute based access control.

Autonomous access control

Discretionary Access Control (DAC) is an Access Control model that determines Access permissions based on the target resource owner. The owner of a resource can decide who has access and which resources they have access to.

Mandatory access control

Mandatory Access Control (MAC) is an Access Control model in which the owner of a resource does not determine who has Access to it, but rather the organization or individual that has the authority to set Access to the resource decides who has Access. We can often find MAC implementations in government organizations where access to a given resource is largely determined by:

  • Sensitive labels applied to data (secret, top secret, etc.),
  • Based on the level of sensitive information that individuals are allowed access to,
  • The principle of least privilege is based on whether the individual really needs to access the resource.

Role-based access control

Role-based Access Control (RBAC) is an Access Control model. Similar to MAC, RBAC functions as Access Control set by permissions rather than resource owners. The difference between RBAC and MAC is that access control in RBAC is based on individual roles accessing resources.

Attribute-based access control

Attribute based access Control (ABAC) is attribute based. These attributes can be those of a particular person, resource, or environment. An attribute can be a subject (the height of a person in an amusement park), a resource (software that only runs on a particular operating system or web site), or an environment (time of day or length of activity passed).

Military and government organizations can use multilevel access control models, and the simple access control model we just discussed may not be enough to protect the information we control access to.

Physical access control

When discussing physical access control, we usually focus on personal, device, and vehicle access control.

Personal access control usually revolves around controlling personal access to buildings or facilities. We can see many buildings implementing such controls in the form of passes to control access to facilities. Such passes are typically configured on acLs to allow or deny which doors they can be used for and to specify the time of day when they can be used.

The physical access control of the vehicle usually revolves around preventing the vehicle from entering restricted areas.

following

One of the most common problems with physical access control is the trailing problem. When we authenticate physical access control measures (for example, when using a pass), it is possible for tailing to occur, and then for another person to simply follow us without authenticating themselves.

Article source: www.identitymanagementinstitute.org/access-cont…

About us

“Longgui Technology”Is a focus on low code enabling enterprise level information service provider. The core founder team came from green Alliance Security, Red Hat open source operating system, well-known game playing crab technology, well-known open source community and other experts jointly founded.

“Longgui Technology” is committed to enabling every enterprise in China to have their own automated office operating system, to help enterprises or governments embrace Cloud Native First strategy, to help customers build a modern IT infrastructure centered on “identity and application”! So as to realize “digital transformation” and “industrial production of software industry”!

Main products: ArkOS ARK operating system: an enterprise-level office automation operating system, combined with self-developed low code application development platform, to build an industrial ecosystem, focusing on creating an integrated full-stack cloud native platform for all kinds of enterprises and organizations. System built-in applications include: ArkID unified identity authentication, ArkIDE, ArkPlatform, App Store and other products. Up to now, the company has obtained 15 software Copyrights, 2 invention patents, and in November 2020, Beijing Haidian District Zhongguancun National high-tech enterprise certification.

Related links:

Website: www.longguikeji.com/

Documents: docs.arkid.longguikeji.com/

Open source code warehouse address:

github.com/longguikeji

gitee.com/longguikeji

Article history

  1. The landing wheel? You’re still building it?
  2. Enterprise single sign-on – foundation of information system construction
  3. Are you ready for telecommuting?
  4. Enterprise informatization, how to count?
  5. The dragon to science and technology | some speculation about the future
  6. The dragon is the future of science and technology | enterprise office automation
  7. The dragon to science and technology | software costs down