Thursday, August 23, 2012

3 Access Control Policies That Can Be Incorporated In A Database


The following access control policies typically consist of three classifications. The first is discretionary Access Control (DAC) sometimes commonly described as a "need-to-know" access model. This controls access dependent on the identity of the entity trying to access resources and on authorizations that specify what queries these entities can perform. So why is this policy called discretionary? The reason is that one entity might include rules that allow for one entity to allow another entity to access some type of resource. The second policy is known as Mandatory Access Control (MAC). In this scenario an entity even though they have privileges to access specified resources unlike in the DAC policy, it is a mandatory rule that this entity cannot permit another entity to access their resources. Finally there is what is known as Role Based Access Control (RBAC). The meaning is pretty self evident as it is implied in the name. This is controlling access based on specified roles given to entities on or within the system and what accesses are permitted to entities based on their granted roles. One thing that should be noted is there is not necessarily a single approach that an entity may utilize but they can interlink approaches as well.

When implementing access controls please make sure to use reliable input, the least privilege principle, separation of duties, regulating access at the level of individual records in files or fields withing records, control each entity access by entity as opposed to a bunch of sequential requests, utilize open and closed policies, make sure not to have conflicting policies to a given class of resources and finally make use of administrative policies on who can add, delete of modify authorization rules.

No comments:

Post a Comment