Access Control Fundamentals: Types, Policies, and Implementation

Access control is a cornerstone of modern computer security, ensuring that users can only interact with resources they are authorized to access. This article delves into the motivation behind access control, key access modes, Unix and Windows mechanisms, and various access control policies and implementations.

---

Why Use Access Control?

Access control is vital for system security as it prevents unauthorized access to resources. Without it, systems could become unstable, and attackers might exploit vulnerabilities. The primary goals of access control include:

• Protecting sensitive data.
• Preventing misuse of resources.
• Ensuring stable system operations.

---

Access Modes: Read, Write, and Execute

Most operating systems support three primary modes for interacting with objects (e.g., files and directories):

1. Read Access: Information flows from the object to the user.
2. Write Access: Information flows from the user to the object.
3. Execute Access: Allows users to execute files or use directories without explicitly reading or writing them.

Unix Permissions for Access Modes:

• To execute a file: read and execute permissions are needed.
• To enter a directory: execute permission is required.
• To create files in a directory: write and execute permissions are necessary.

For example, scripts (e.g., Python or Bash files) can be executed, while plain text files require conversion into executables for execution.

---

Users, Groups, and Identifiers in Unix

Unix uses user identifiers (UIDs) and group identifiers (GIDs) to manage access control:

• UID 0 is assigned to the root user (superuser), who has administrative privileges.
• Other UIDs and GIDs help group users for convenient access management.
• System-related UIDs (1–999) and human user UIDs (≥1000) are standardized for organized access control.

The /etc/passwd file maps usernames to UIDs, while the /etc/shadow file securely stores passwords.

---

Access Rights and Object Types

Access rights define how users can interact with objects, and their interpretation depends on the operating system:

• Multics OS: Includes append (write-only) access.
• Unix: Differentiates between programs and directories for execution.
• Windows: Treats everything as an object, with access rights determined by the object class.

---

Access Control Policies

Access control systems enforce policies to manage access effectively:

1. Discretionary Access Control (DAC):
   • Based on resource ownership and user identities.
   • Common in Unix and commercial systems.
2. Mandatory Access Control (MAC):
   • Enforces policies independent of user identities.
   • Widely used in government and military environments.
3. Role-Based Access Control (RBAC):
   • Grants permissions based on organizational roles.
4. Rule-Based Access Control:
   • Applies rules (e.g., time-based access) to determine permissions.
5. Attribute-Based Access Control (ABAC):
   • Uses properties like location or device type to define access rights.

---

Delegation in Access Control

Delegation allows a process to temporarily perform actions on behalf of another process.

• Unix: Achieved via the sudo command, logging all activities for accountability.
• Windows: Implements delegation through impersonation techniques.

---

Temporal and Contextual Access Control Types

Access control mechanisms can be categorized by their purpose and timing:

1. Preventative Controls: Block unauthorized activities (e.g., firewalls, antivirus).
2. Deterrent Controls: Discourage violations (e.g., visible security cameras).
3. Detective Controls: Identify breaches (e.g., motion detectors, audit logs).
4. Corrective Controls: Restore systems after violations (e.g., intrusion detection systems).
5. Recovery Controls: Repair damage and prevent further issues (e.g., system backups).

---

Administrative, Logical, and Physical Access Controls

1. Administrative Controls:
   • Policies and procedures to enforce access (e.g., security training, access control lists).
2. Logical Controls:
   • Software or hardware mechanisms (e.g., passwords, encryption).
3. Physical Controls:
   • Barriers to prevent direct access (e.g., fences, locked doors).

---

Conclusion

Access control is a critical element of system security. By combining discretionary and mandatory policies with various access control mechanisms, modern operating systems like Unix and Windows provide robust protection for resources. Understanding these concepts enables organizations to secure their systems effectively while allowing flexibility in user interactions.