There are various access control models, each with a specific intent and purpose. Determining the ideal model for an application can help ensure proper authorization to application resources. Each of the primary models will be covered, including the MAC, DAC, RBAC, and ABAC Access Control models. Examples, challenges, and benefits of each will be discussed to provide a further insight into which solution may best serve an application. Application sensitivity, regulations, and privacy may drive which model is selected.
3. About Mark Niebergall
▪ PHP since 2005
▪ MS degree in MIS
▪ Senior Software Engineer
▪ UPHPU President
▪ SSCP, CSSLP Certified and SME
▪ Drones, fishing, skiing, father,
husband
56. Subject Security Level
Alice Top Secret
Bob Secret
Clara Confidential
Object Label
Report Top Secret
Finance Secret
Customer Confidential
MAC
Level Name
1 Top Secret
2 Secret
57. MAC
Subject: Security
Level
Object: Label
Report: Top
Secret
Finance: Secret
Customer:
Confidential
Alice: Top Secret Allow Allow Allow
Bob: Secret Deny Allow Allow
Clara: Confidential Deny Deny Allow
58. MAC
SELECT s.security_level
FROM subject s
JOIN security_level sl_s
ON sl_s.name = s.name
JOIN resource r
ON r.resource = ‘Report’
JOIN security_level sl_r
ON sl_r.name = r.name
AND sl_r.level <= sl_s.level
WHERE s.subject = ‘Alice’
LIMIT 1;
59. MAC
$accessControl = new Mac;
$topSecret = new Level(‘Top Secret’);
$secret = new Level(‘Secret’);
$alice = new User(‘Alice’);
$bob = new User(‘Bob’);
$finances = new Resource(‘Finances’);
$accessControl->addLevel($topSecret, 1)
->addLevel($secret, 2);
$accessControl->addUser($alice, $topSecret)
->addUser($bob, $secret);
$accessControl->addResource($finances, $secret);
$accessControl->isAllowed($alice, $finances);
70. RBAC
Subject Role
Alice Accounting
Alice Orders
Bob Payroll
Clara Orders
Clara Reporting
Role Resource
Accounting Finance
Accounting Reports
Orders Inventory
Orders Shipments
Payroll Finance
71. RBAC
SELECT sr.subject, rr.resource
FROM subject_role sr
JOIN role_resource rr
ON rr.subject = sr.subject
AND rr.role = sr.role
WHERE sr.subject = ‘Alice’
AND rr.resource = ‘Report’
LIMIT 1;
72. RBAC
$accessControl = new Rbac;
$accounting = new Role(‘Accounting’);
$ordering = new Role(‘Ordering’);
$alice = new User(‘Alice’);
$bob = new User(‘Bob’);
$inventory = new Resource(‘Inventory’);
$accessControl->addRole($accounting)
->addRole($ordering);
$accessControl->addUser($alice)
->addUser($bob);
$accessControl->addResource($inventory);
$accessControl->addUserToRole($alice, $accounting);
$accessControl->addResourceToRole($inventory, $ordering);
$accessControl->isAllowed($alice, $ordering);
$accessControl->isAllowed($bob, $inventory);
84. ABAC
Subject Action Environment Resource Access
Manager Create Region A Customer Allow
Manager Update Region B Customer Deny
Data Entry Create
Region A
Any Hour
Customer Allow
Data Entry Create
Region B
Day Shift
Customer Allow
Data Entry Create
Region B
After
hours
Customer Deny
104. Review
DAC: simple, high overhead, ACL
MAC: user and resource
classification
RBAC: most common, role driven,
smaller overhead
ABAC: most advanced, policy driven