search

Which of the following is an access control that is based on a specific job roles or functions?

1 Jahrs vor
Kommentare: 0
Ansichten: 47

A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Rule-based access control

Show

Answer: C
Explanation: Role-based access control is based on specific job roles or functions.

In computer systems security, role-based access control (RBAC)[1][2] or role-based security[3] is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control (DAC).

Role-based access control is a policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC such as role-permissions, user-role and role-role relationships make it simple to perform user assignments. A study by NIST has demonstrated that RBAC addresses many needs of commercial and government organizations.[4] RBAC can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions. Although RBAC is different from MAC and DAC access control frameworks, it can enforce these policies without any complication.

Design[edit]

Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions needed to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.

Role based access control interference is a relatively new issue in security applications, where multiple user accounts with dynamic access levels may lead to encryption key instability, allowing an outside user to exploit the weakness for unauthorized access. Key sharing applications within dynamic virtualized environments have shown some success in addressing this problem.[5]

Three primary rules are defined for RBAC:

  1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.
  2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.
  3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized.

Additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles.

With the concepts of role hierarchy and constraints, one can control RBAC to create or simulate lattice-based access control (LBAC). Thus RBAC can be considered to be a superset of LBAC.

When defining an RBAC model, the following conventions are useful:

  • S = Subject = A person or automated agent
  • R = Role = Job function or title which defines an authority level
  • P = Permissions = An approval of a mode of access to a resource
  • SE = Session = A mapping involving S, R and/or P
  • SA = Subject Assignment
  • PA = Permission Assignment
  • RH = Partially ordered Role Hierarchy. RH can also be written: ≥ (The notation: x ≥ y means that x inherits the permissions of y.)
    • A subject can have multiple roles.
    • A role can have multiple subjects.
    • A role can have many permissions.
    • A permission can be assigned to many roles.
    • An operation can be assigned to many permissions.
    • A permission can be assigned to many operations.

A constraint places a restrictive rule on the potential inheritance of permissions from opposing roles, thus it can be used to achieve appropriate separation of duties. For example, the same person should not be allowed to both create a login account and to authorize the account creation.

Thus, using set theory notation:

A subject may have multiple simultaneous sessions with/in different roles.

Which of the following is an access control that is based on a specific job roles or functions?

Standardized levels[edit]

The NIST/ANSI/INCITS RBAC standard (2004) recognizes three levels of RBAC:[6]

  1. core RBAC
  2. hierarchical RBAC, which adds support for inheritance between roles
  3. constrained RBAC, which adds separation of duties

Relation to other models[edit]

RBAC is a flexible access control technology whose flexibility allows it to implement DAC[7] or MAC.[8] DAC with groups (e.g., as implemented in POSIX file systems) can emulate RBAC.[9] MAC can simulate RBAC if the role graph is restricted to a tree rather than a partially ordered set.[10]

Prior to the development of RBAC, the Bell-LaPadula (BLP) model was synonymous with MAC and file system permissions were synonymous with DAC. These were considered to be the only known models for access control: if a model was not BLP, it was considered to be a DAC model, and vice versa. Research in the late 1990s demonstrated that RBAC falls in neither category.[11][12] Unlike context-based access control (CBAC), RBAC does not look at the message context (such as a connection's source). RBAC has also been criticized for leading to role explosion,[13] a problem in large enterprise systems which require access control of finer granularity than what RBAC can provide as roles are inherently assigned to operations and data types. In resemblance to CBAC, an Entity-Relationship Based Access Control (ERBAC, although the same acronym is also used for modified RBAC systems,[14] such as Extended Role-Based Access Control[15]) system is able to secure instances of data by considering their association to the executing subject.[16]

Comparing to ACL[edit]

Access control lists (ACLs) are used in traditional discretionary access-control (DAC) systems to affect low-level data-objects. RBAC differs from ACL in assigning permissions to operations which change the direct-relations between several entities (see: ACLg below). For example, an ACL could be used for granting or denying write access to a particular system file, but it wouldn't dictate how that file could be changed. In an RBAC-based system, an operation might be to 'create a credit account' transaction in a financial application or to 'populate a blood sugar level test' record in a medical application. A Role is thus a sequence of operations within a larger activity. RBAC has been shown to be particularly well suited to separation of duties (SoD) requirements, which ensure that two or more people must be involved in authorizing critical operations. Necessary and sufficient conditions for safety of SoD in RBAC have been analyzed. An underlying principle of SoD is that no individual should be able to effect a breach of security through dual privilege. By extension, no person may hold a role that exercises audit, control or review authority over another, concurrently held role.[17][18]

Then again, a "minimal RBAC Model", RBACm, can be compared with an ACL mechanism, ACLg, where only groups are permitted as entries in the ACL. Barkley (1997)[19] showed that RBACm and ACLg are equivalent.

In modern SQL implementations, like ACL of the CakePHP framework, ACLs also manage groups and inheritance in a hierarchy of groups. Under this aspect, specific "modern ACL" implementations can be compared with specific "modern RBAC" implementations, better than "old (file system) implementations".

For data interchange, and for "high level comparisons", ACL data can be translated to XACML.

Attribute-based access control[edit]

Attribute-based access control or ABAC is a model which evolves from RBAC to consider additional attributes in addition to roles and groups. In ABAC, it is possible to use attributes of:

  • the user e.g. citizenship, clearance,
  • the resource e.g. classification, department, owner,
  • the action, and
  • the context e.g. time, location, IP.

ABAC is policy-based in the sense that it uses policies rather than static permissions to define what is allowed or what is not allowed.

Use and availability[edit]

The use of RBAC to manage user privileges (computer permissions) within a single system or application is widely accepted as a best practice. A 2010 report prepared for NIST by the Research Triangle Institute analyzed the economic value of RBAC for enterprises, and estimated benefits per employee from reduced employee downtime, more efficient provisioning, and more efficient access control policy administration.[20]

In an organization with a heterogeneous IT infrastructure and requirements that span dozens or hundreds of systems and applications, using RBAC to manage sufficient roles and assign adequate role memberships becomes extremely complex without hierarchical creation of roles and privilege assignments.[21] Newer systems extend the older NIST RBAC model[22] to address the limitations of RBAC for enterprise-wide deployments. The NIST model was adopted as a standard by INCITS as ANSI/INCITS 359-2004. A discussion of some of the design choices for the NIST model has also been published.[23]

See also[edit]

  • Access control list
  • Attribute-based access control (ABAC)
  • Organisation-based access control (OrBAC)
  • RSBAC
  • Capability-based security
  • Location-based authentication
  • Risk-based authentication
  • AGDLP (Microsoft's recommendations for implementing RBAC)
  • Identity driven networking (IDN)
  • PERMIS
  • Classified information
  • Apache Fortress

References[edit]

  1. ^ Ferraiolo, D.F. & Kuhn, D.R. (October 1992). "Role-Based Access Control" (PDF). 15th National Computer Security Conference: 554–563.
  2. ^ Sandhu, R., Coyne, E.J., Feinstein, H.L. and Youman, C.E. (August 1996). "Role-Based Access Control Models" (PDF). IEEE Computer. 29 (2): 38–47. CiteSeerX 10.1.1.50.7649. doi:10.1109/2.485845.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  3. ^ ABREU, VILMAR; Santin, Altair O.; VIEGAS, EDUARDO K.; STIHLER, MAICON (2017). A multi-domain role activation model (PDF). ICC 2017 2017 IEEE International Conference on Communications. IEEE Press. pp. 1–6. doi:10.1109/ICC.2017.7997247. ISBN 978-1-4673-8999-0. S2CID 6185138.
  4. ^ Gilbert MD, Lynch N, Ferraiolo FD (1995). "An examination of federal and commercial access control policy needs". National Computer Security Conference, 1993 (16th) Proceedings: Information Systems Security: User Choices. DIANE Publishing. p. 107. ISBN 9780788119248.
  5. ^ Marikkannu, P (2011). "Fault-tolerant adaptive mobile agent system using dynamic role based access control". International Journal of Computer Applications. 20 (2): 1–6. Bibcode:2011IJCA...20b...1M. doi:10.5120/2409-3208.
  6. ^ Alberto Belussi; Barbara Catania; Eliseo Clementini; Elena Ferrari (2007). Spatial Data on the Web: Modeling and Management. Springer. p. 194. ISBN 978-3-540-69878-4.
  7. ^ Ravi Sandhu; Qamar Munawer (October 1998). "How to do discretionary access control using roles". 3rd ACM Workshop on Role-Based Access Control: 47–54.
  8. ^ Sylvia Osborn; Ravi Sandhu & Qamar Munawer (2000). "Configuring role-based access control to enforce mandatory and discretionary access control policies". ACM Transactions on Information and System Security: 85–106.
  9. ^ Brucker, Achim D.; Wolff, Burkhart (2005). "A Verification Approach for Applied System Security". International Journal on Software Tools for Technology (STTT). 7 (3): 233–247. doi:10.1007/s10009-004-0176-3. hdl:20.500.11850/52625. S2CID 6427232.
  10. ^ D.R. Kuhn (1998). "Role Based Access Control on MLS Systems Without Kernel Changes". Proceedings of the third ACM workshop on Role-based access control - RBAC '98 (PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32. CiteSeerX 10.1.1.55.4755. doi:10.1145/286884.286890. ISBN 978-1-58113-113-0. S2CID 1711956.
  11. ^ Editor, CSRC Content (2016-11-21). "Role Based Access Control – FAQs". csrc.nist.gov. Retrieved 15 August 2018.
  12. ^ (NIST), Author: David Ferraiolo; (NIST), Author: Richard Kuhn (1992-10-13). "Role-Based Access Controls" (PDF). csrc.nist.gov: 554–563. Retrieved 15 August 2018.
  13. ^ A. A. Elliott & G. S. Knight (2010). "Role Explosion: Acknowledging the Problem" (PDF). Proceedings of the 2010 International Conference on Software Engineering Research & Practice.
  14. ^ "ERBAC – Enterprise Role-Based Access Control (computing) – AcronymFinder". www.acronymfinder.com. Retrieved 15 August 2018.
  15. ^ "Dr. Bhavani Thuraisingham and Srinivasan Iyer (PPT)". Retrieved 15 August 2018.
  16. ^ Korhonen, Kalle. "tapestry-security-jpa". www.tynamo.org. Retrieved 15 August 2018.
  17. ^ D.R. Kuhn (1997). "Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems" (PDF). 2nd ACM Workshop Role-Based Access Control: 23–30. doi:10.1145/266741.266749. ISBN 0897919858. S2CID 482687.
  18. ^ Ninghui Li, Ziad Bizri, and Mahesh V. Tripunitara . Tripunitara (2004). "On mutually exclusive roles and separation-of-duty" (PDF). 11th ACM Conference on Computer and Communications Security. CCS '04: 42–51. CiteSeerX 10.1.1.159.2556. doi:10.1145/1030083.1030091. ISBN 978-1581139617. S2CID 798546.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  19. ^ J. Barkley (1997) "Comparing simple role based access control models and access control lists", In "Proceedings of the second ACM workshop on Role-based access control", pages 127-132.
  20. ^ A.C. O'Connor & R.J. Loomis (March 2002). Economic Analysis of Role-Based Access Control (PDF). Research Triangle Institute. p. 145.
  21. ^ Systems, Hitachi ID. "Beyond Roles: A Practical Approach to Enterprise IAM". www.idsynch.com. Retrieved 15 August 2018.
  22. ^ Sandhu, R., Ferraiolo, D.F. and Kuhn, D.R. (July 2000). "The NIST Model for Role-Based Access Control: Toward a Unified Standard" (PDF). 5th ACM Workshop Role-Based Access Control: 47–63. doi:10.1145/344287.344301. S2CID 14539795.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  23. ^ Ferraiolo, D.F., Kuhn, D.R., and Sandhu, R. (Nov–Dec 2007). "RBAC Standard Rationale: comments on a Critique of the ANSI Standard on Role-Based Access Control" (PDF). IEEE Security & Privacy. 5 (6): 51–53. doi:10.1109/MSP.2007.173. S2CID 28140142. Archived from the original (PDF) on 2008-09-17.{{cite journal}}: CS1 maint: multiple names: authors list (link)

Further reading[edit]

  • David F. Ferraiolo; D. Richard Kuhn; Ramaswamy Chandramouli (2007). Role-based Access Control (2nd ed.). Artech House. ISBN 978-1-59693-113-8.
  • FAQ on RBAC models and standards
  • Role Based Access Controls at NIST
  • XACML core and hierarchical role based access control profile
  • Institute for Cyber Security at the University of Texas San Antonio
  • Practical experiences in implementing RBAC

Which of the following is an access control that is based on a specific job role or function?

3. Role-Based Access Control (RBAC) The Role-Based Access Control (RBAC) model provides access control based on the position an individual fills in an organization.

Which access control model that uses access based on a user's job function within an organization?

Role-based access control (RBAC) restricts network access based on a person's role within an organization and has become one of the main methods for advanced access control. The roles in RBAC refer to the levels of access that employees have to the network.

Which of the following best describes role based access control?

Which of the following best describes what role-based access control offers companies in reducing administrative burdens? A. It allows entities closer to the resources to make decisions about who can and cannot access resources.

What are access control methods?

Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC). DAC is a type of access control system that assigns access rights based on rules specified by users.

access control based specific job roles functions Access control policy

zusammenhängende Posts

What threat do insiders with authorized access to information or information systems pose?
What threat do insiders with authorized access to information or information systems pose?

Which device is used instead of a mouse on laptop computers to control the movement of the printer on the screen?
Which device is used instead of a mouse on laptop computers to control the movement of the printer on the screen?

Which theoretical perspective contends that people have a natural capacity to control their behavior?
Which theoretical perspective contends that people have a natural capacity to control their behavior?

If a resource or capability is ________ then no other firm, or very few firms, control it.
If a resource or capability is ________ then no other firm, or very few firms, control it.

In what ways did the British government seek to exert control over its American colonies in the 17th and 18th centuries?
In what ways did the British government seek to exert control over its American colonies in the 17th and 18th centuries?

What hormone helps the body control stress regulate metabolism and influence an immune response?
What hormone helps the body control stress regulate metabolism and influence an immune response?

What model consists of particular types of services that you can access on a cloud computing platform?
What model consists of particular types of services that you can access on a cloud computing platform?

Model consists of the particular types of services that you can access on a cloud computing platform
Model consists of the particular types of services that you can access on a cloud computing platform

Does Microsoft Access have told about relationships between tables group of answer choices?
Does Microsoft Access have told about relationships between tables group of answer choices?

What type of file access jumps directly to any piece of data in the file without reading the data that came before it?
What type of file access jumps directly to any piece of data in the file without reading the data that came before it?

Werbung

NEUESTEN NACHRICHTEN

Wie lange gilt man mit johnson als vollständig geimpft
1 Jahrs vor . durch CurlyDelicacy
Wie kann man Batterie in Prozent anzeigen iPhone 13?
1 Jahrs vor . durch StrickenMotto
Which of the following is considered effective for both upward and downward influence?
1 Jahrs vor . durch PreparedContentment
Which of the following statements is true regarding impression management IM techniques?
1 Jahrs vor . durch TiresomeMelodrama
Auf der grünen Wiese liegt der Theodor
1 Jahrs vor . durch GuidingCrossroads
In which of the following ways can effective communicators protect goodwill?
1 Jahrs vor . durch ExtremistConfiscation
Was ist der unterschied zwichen feil und richard
1 Jahrs vor . durch CloudlessAnnuity
In welchem Alter sterben die meisten Männer in Deutschland
1 Jahrs vor . durch HappyThreshold
Wo liegt der unterschied zwischen job und beruf
1 Jahrs vor . durch PositiveCabal
By definition the speaker and the audience cannot be part of the same public
1 Jahrs vor . durch ApocalypticCrocodile

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrkoptzhitthjphi
Urheberrechte © © 2024 berikutyang Inc.