What is authorization control? How to imply authorization control in centralized and distributed environment

What is authorization control? How to imply authorization control in centralized and distributed environment.

Access control must guarantee that only authorized users perform operations they are allowed to perform on the database. 

A security policy specifies who is authorized to do what. A security mechanism allows us to enforce a chosen security policy. 

Controlled access is used for providing protection to the resources. Access is permitted or denied depending upon different parameters. 

There are three types of permission associated with each file 

    1. Read: Read data from file 

    2. Write : Write data into a file 

    3. Execute: Load the file into primary memory and then execute. 

Other access permission is append, delete and list the file. Using append permission, user can write new information at the end of the file. 

File is deleted by using delete and name, attributes of file is listed by list permission.

Permission to access a file is controlled by access permission associated with the file. 

Access permissions can be set independently to control read, write and execute permission for three classes of users : The file owner, a file group and everyone else.

Nine bits are used to determine the characteristics of all objects in a Linux system. 

ACLs can be used for situations where the traditional file permission concept does not suffice. They allow the assignment of permissions to individual users or groups even if these do not correspond to the owner or the owning group. Access Control Lists are a feature of the Linux kernel. 

ACL inheritance is a mechanism that lets container objects pass access control information to their child objects. 

A container's child objects can be non-container objects as well as other container objects. 

From an administrator point of view, ACL inheritance simplifies access control management. 

An administrator can set the ACL on a parent object and if inheritance is enabled, he shouldn't need to set ACLs on each child object. 

Two main mechanisms at the DBMS level :

    a. Discretionary access control 

    b. Mandatory access control

Discretionary Access Control (DAC) : 

DAC models enforce access control based on user identities, object ownership and permission delegation. 

The owner of an object may delegate the permission of the object to another user. 

DAC is based on the concept of access rights or privileges for objects (tables and views) and mechanisms for giving users privileges (and revoking privileges). 

DBMS  keeps track of who subsequently gains and loses privileges and ensures that only requests from users who have the necessary privileges are allowed. 

The security levels are formed by coupling privileges with database objects. Database objects of interest are tables and views. 

Security at the column level is not always available. This feature would be desirable to have in an RDBMS system. 

The privileges of interest that can be granted on database objects are listed below and are commonly referred to as the CRUD privileges. 

    a.  CREATE  :    The right to insert rows 

    b.  READ      :    The right to select rows and read data 

    C.  UPDATE :    The right to update the contents of a row 

    d. DELETE  :    The right to delete rows 

Other privileges such as creating, dropping and altering tables are usually given to the system administrator or the user who owns the schema.

Privileges are assigned to individual users or to a group of users. The group of users represents divisions in the real world, where people having the same role or job within an organization perform similar job functions. 

DBMS allow discretionary access control which means that users with privileges on objects may pass on these privileges to other users. 

Discretionary access control is less secure than mandatory access control. it assigns security classes to database objects and clearances to users. However commercial DBMS do not support mandatory access control.

Mandatory Access Control (MAC) : 

MAC models govern access based on the sensitivity level of subjects and objects. A subject may read an object if the security level of the subject is higher than that of the object. 

The MAC pattern is also known as multilevel security model and lattice-based access control. A mandatory access control (MAC) policy is a means of assigning access rights based on regulations by a central authority.

Role Based Access Control :

In some environments, it is problematical to determine who the owner of resources is. In role based systems, users get assigned roles based on their functions in that system. These systems are centrally administered, they are non-discretionary. Fig. shows role based access control model. 

 

Fig. Role based access control model

Roles are closely related to the concept of user groups in access controls. Role brings together a set of users on one side and a set of permissions on the other whereas user groups are typically defined as a set of users. 

Permissions are assigned to roles. Users are assigned to roles. RBAC may be configured directly by the system owner or indirectly by appropriate roles as delegated by the system owner.