Access Control UNICAM
UNICAM AC Partial 2
UNICAM AC Partial 2
Set of flashcards Details
| Flashcards | 71 |
|---|---|
| Language | English |
| Category | Computer Science |
| Level | University |
| Created / Updated | 04.12.2021 / 04.12.2021 |
| Weblink |
https://card2brain.ch/box/20211204_access_control_unicam
|
| Embed |
<iframe src="https://card2brain.ch/box/20211204_access_control_unicam/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Create or copy sets of flashcards
With an upgrade you can create or copy an unlimited number of sets and use many more additional features.
Log in to see all the cards.
In RBAC a role is defined by
- A collection of procedures.
- A user assigned to a role can execute the procedures defined for that role
- A user can have multiple role and more than one user can have the same role
in RBAC a Procedures is defined as?
- High-level access control methods with a more complex semantic than read or write
- Can only be applied to objects of certain data types -> consider a funds transport between two bank accounts
in RBAC data types are defined as ?
- Each object is of a certain data type
- Can only be accessed through procedures which are defined for this kind of data type
Controlling access to an object by restricting the procedures that may access this object is a general programming practice. It is a fundamental concept in the theory of abstract data types
If we talk about inheritance in RBAC what do we define by that?
Inheritance of Child Roles Permissions in Parent -> Teacher can do what a student can do + extra power
The least privilege principle - what does it suggest in which context?
RBAC - The least privilege principle suggests that only roles necessary for the current task should be activated
How can we structure roles ?
By hirarchy
Tasks exist, where the execution must be performed by distinct user - how do we call this principle?
Seperation of Duties
What do we understand under static seperation of duties
- The roles may be assigned to a user are fixed and have to take into account separation of duties requirement
- A user can either issue an order or approve a payment
What do we understand under dynamic seperation of duties
- Roles may be assigned to a user depend on the current task
- A user who has issued a particular purchase may not approve payment for that specific order but for other order he did not issue the purchase
What are Flat RBAC's
user are assigned to roles,
permissions to role,
users get permissions via role
What is Hierachical RBAC
Add support for role hierarchies. Teacher Role can be defined as senior to teaching assistant
Constrained RBAC
adds support for seperation of duties
a rule that sutdents cannot be teaching assistand on a course they are taking
What are Protection Rings?
PR’s are simple example of an intermediate layer of hardware based access control for subjects and objects
Unix uses Protections rings how?
- Unix uses two levels with root and operating system running in ring 0 and user processes running in 3
What is Policy instantiation?
When developing software, you rarely will be in position to know your eventual users. This means policies cannot refer to specific user identities but can perhaps refer to generic placeholder principals such as Teach and Student.
Why do we need Access Control - whats is the purpose?
We need a language for expressing our intended access control policies together wit a mechanism to enforce this access control behavior.We need a language for expressing our intended access control policies together wit a mechanism to enforce this access control behavior.
What do we need to consider for shared data in terms of security?
- Integrity is the maintenance of, and the assurance of, data accuracy and consistency over its entire life cycle.
- Confidentiality deals with protecting against the disclosure of information by ensuring that the data is limited to those authorized
Basic Terminology for AC
How do we call the active entity?
Subject or Principal
Basic Terminology for AC
How do we call the passive entity?
Object
Basic Terminology for AC
How do we call the process?
Access Operation
Basic Terminology for AC
How do we call logic behind AC?
Reference Monitor
What does the subject do in AC?
Performs an operation - wants to access something
What are Object examples?
Files, folders, printers, memory
What does the reference monitor do?
Acts as a guard and grants or denies access
What is Identity-based access Cotnrol?
Traditional Security - Policy refers to human users ->most common in OS
Is there a difference between subject and principial?
Principals are the real users identity
Subjects operate on behalf of human users we call princiapls -> subjects are bound to principals
To identify a Subject in identiy based access control - A subject name must be?
Globally Unique
Readable
Meamorable
Do Subjects have to be bound to principals?
Do Prinicpals need to represent human users or attributes of human users?
What is the reference monitor doing?
Checks whether the principal that is bound to the subject has the right to access the object
-
- 1 / 71
-
