Discretionary Access Control
Discretionary Access Control (DAC) is a paradigm in which the system owner decides who gets access to that computer system. In the case of a file or other data object, it is the owner, creator, or data custodian who defines and controls access (such as reading and writing) to the object.
In the CFO spreadsheet scenario in our example, the file’s owner will have created an ACL defining the types of access (e.g., read, write, or read/write, perhaps execute) accorded to each user they wanted to be able to use the file. As in our rule-based example, our access control software will need to consult the ACL associated with the spreadsheet file forecast.xls to see whether the user jsmith1 has write access to the file.
Note that DAC allows the individual data owner complete control over the objects they own, even to the extent of granting some users higher levels of access to the object than they would ordinarily have over other similar objects.
Attribute-Based Access Control
ABAC is a relatively new, so-called “next-generation” access control model. It employs a paradigm whereby access rights are granted to users according to policies that combine attributes. For example, access to a given data set or system might only be allowed during “working hours” (however those are defined by the organization).
Because it controls access of subject to objects by evaluating rules against the attributes of the subject and object and against the environmental conditions, ABAC is more flexible than the other methods we have discussed. It can be easy to set up but may be complex to manage.
ABAC systems are capable of enforcing both DAC and MAC models. ABAC systems can even be made to adapt as risks change, by expressing the risk values as variable attributes.
In our CFO spreadsheet example, the security office or network administrator might assign to jsmith1 the attributes of being an officer of the company and a manager in the financial department. The forecast.xls file could be assigned attributes showing it to contain sensitive financial records and subject to regulatory control. The system, in comparing the attributes of the user and the file, would (one presumes) conclude that an officer of the company, a manager in the financial department, should be given access to sensitive financial records pertinent to the company’s regulatory environment.
The policies with which ABAC operates are written in a structured language called the Extensible Access Control Markup Language (XACML), currently at version 3.
One XACML rule for our example might direct the access control system, for example, to “permit managers to access financial data provided they are from the finance department.” The language provides a level of contextual awareness difficult to match in earlier access control models.
