![]() The MAC model is usually used in environments where confidentiality is of utmost importance, such as a military institution.An access control policy that is uniformly enforced across all subjects and objects within the boundary of an information system. For example, if a user has a security clearance of secret, and he requests a data object with a security classification of top secret, then the user will be denied access because his clearance is lower than the classification of the object. ![]() When the system is making an access control decision, it tries to match the clearance of the subject with the classification of the object. The clearance and classification data are stored in the security labels, which are bound to the specific subjects and objects. Subjects are given a security clearance (secret, top secret, confidential, etc.), and data objects are given a security classification (secret, top secret, confidential, etc.). The MAC model is based on security labels. MAC: In mandatory access control (MAC), the system (and not the users) specifies which subjects can access specific data objects. In these operating systems, when you create a file, you decide what access privileges you want to give to other users when they access your file, the operating system will make the access control decision based on the access privileges you created. Most operating systems such as all Windows, Linux, and Macintosh and most flavors of Unix are based on DAC models. ĭAC: In discretionary access control (DAC), the owner of the object specifies which subjects can access the object. So in the case of MAC the decision is in the hands of the Architects and they make sure the file goes to the right hands. What if the owner decides to grant access to people to whom the access shouldn't be given. MAC is more secure in big companies because the whole security of the company lies in the hands of the owner of the file if they implement DAC. So you are the owner of the file only if the superuser has not changed the ownership to someone else*** The superuser can change the ownership of your file. And in Discretionary access control, the owners of the files have their OWN "discretion" as to select the users to which access can be given and not given. ![]() When you create a file, you are the owner of that file. ĭiscretionary access control is downright simple. As per the rule I mentioned, Natasha will be able to access only files under /etc which have levels lower than her level. Now assume files under /var have level A and files under /etc/ have level C. Now Subjects having level C will be able to access only the objects having security levels less than C Assume Natasha has security level B. ![]() Now Subjects having level B will be able to access only the objects having security levels less than B. ![]() Now Subjects having level A will be able to access only the objects having security levels less than A. Time for an example :- Assume there are three security levels. Each object and subject in that domain is given a "Security Level ". In the further discussions, users will be addressed as Subjects and the resources would be addressed as Objects. But how do they grant access ? This is where Levels come into action. Mandatory access control : The Access control system only allows users who have already been given a clearance level to access the resource they intend to. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |