Lecture Topic: Access Control

[Module Four PDF](https://lms.unb.ca/d2l/le/content/231513/viewContent/2614490/View)

Access Control Policies:
- Discretionary access control (DAC): Controls access based on the identity of the requestor, and based on access rules. The term discretionary is used because it implies that the authorized user might be able to give access to another user (?)
- Mandatory access control (MAC): Controls access based on security labels which indicate how sensitive the data is, and use security clearances. The term mandatory is used because a user who has access to a resource may not enable another user to have access
- Role based access control (RBAC): Controls access based on roles that users have in a given system, and rules that control access to resources based on those roles
- Attribute based access control (ABAC): Controls access based on attributes a user has, the resource being requested and the current environment

Subject, Object and Access Right
- Subject: A subject is an entity capable of accessing objects. A comparison is that a subject can be equated to a process. A process is often a representation of a given user.
  - Owner: The creator of the resource, full access to the resource. May belong to system administrator, or a project administrator for project resources
  - Group: A group of users that may be assigned in addition to the owner. In most schemes a user can belong to multiple groups
  - World: Generally the least amount of access, and applies to everyone who isn't the owner or in an allowed group
- Object: An object is the resources which access is being controlled. Usually objects store or receive information. Examples would include files, directories, blocks, pages, programs
- Access Right: The way in which a subject may access an object
  - Read: The subject can view information. This also allows copying and printing
  - Write: The user may add, modify or delete the object being requested. Write includes access to read
  - Execute: You can execute the object if it is a program or script that contains code/machine code
  - Delete: The subject can delete the object that is being accessed
  - Create: The subject can create new objects
  - Search: The subject can access the a of objects and search a directory

Example: UNIX file access control
All UNIX file systems are administered by the OS in terms of inodes. An inode (index node) is a control structure for a particular file. Several files may be associated with a single inode, but an active inode is associated with exactly one file, and each file is controlled by exactly one inode.

Attributes of the file as well as permissions are stored in the inode. On the disk there is an inode table or inode list, which stores all the files on the system. When a file is opened its inode is stored in a memory resident inode table.