Suppose that you have the opportunity to devise Manage, from scratch, a scheme for access control to all of the assets for which you are responsible. Not only can you pick the security devices and policies, but you can also decide on the very kinds of attributes that will determine access authority for everyone.
One way to start such a design is to imagine that you—or your avatar—will be queried, moment to moment, for an on-the-spot decision as to who can do what. For this example, suppose you receive the queries via text and respond with your decision the same way Manage.
If the CFO wants to open a forecast spreadsheet, you might see something like this:
[Date/Timestamp]: User jsmith1 wants to OPEN forecast.xls for WRITE.
In response, you need to grant or deny access. Your decision will be based on a variety of factors, each of which will be informed by the access control model that you are using.
There are several access control models that exist. The most useful of these include the following:
- Role-based access control (RBAC)
- Rule-based access control (also, ambiguously, RBAC)
- Mandatory access control (MAC) (sometimes known as nondiscretionary access control, or NDAC)
- Discretionary access control (DAC)
- Attribute-based access control (ABAC)
The following sections examine how each model would implement this hypothetical CFO’s spreadsheet example.
