User Access Levels

3 Key excerpts on "User Access Levels"

• 

  eBook - ePub

  The Basics of Information Security

  Understanding the Fundamentals of InfoSec in Theory and Practice

  • Jason Andress(Author)
  • 2011(Publication Date)
  • Syngress

    (Publisher)

  Access controls can be constructed in a variety of manners. We can base access controls on physical attributes, sets of rules, lists of individuals or systems, or more complex factors. The particular type of access control often depends on the environment in which it is to be used. We can find simpler access controls implemented in many applications and operating systems, while more complex multilevel configurations might be implemented in military or government environments. In such cases, the importance of what we are controlling access to may dictate that we track what our users have access to across a number of levels of sensitivity.

  When we discuss access control concepts, we may be referring to them in a purely logical or physical sense or, more commonly, as a combination of the two. In terms of access control systems, it is important to understand that, when dealing with computing environments, the logical and physical are often closely entangled. Logical access control systems, even those that do not have an immediately obvious physical component, are still dependent on physical hardware, networks, and utilities to carry out their tasks. Likewise, many, but not all, physical access controls (sometimes referred to as guards, gates, and guns) have some sort of logical component. Often the systems that control our access to and within facilities depend equally on networks, computer systems, and other similar components. In many ways, information security and physical security are closely linked to each other.

  Authorization

  Authorization is the next step taken after we have completed identification and authentication, as shown in Figure 3.1

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Role Mining In Business: Taming Role-based Access Control Administration

  Taming Role-Based Access Control Administration

  • Roberto Di Pietro, Alessandro Colantonio, Alberto Ocello(Authors)
  • 2012(Publication Date)
  • World Scientific

    (Publisher)

  Users can create new tables, add new information to existing tables, or modify in-formation that exists in the tables. A user may have permission to read a table within a database containing, for instance, sales information, but may not be granted permission to modify any of the entries in that table. We refer to applications as the executable programs that individuals use. These include common office-automation applications, as well as communi-cation applications such as e-mail, to name but a few. Please notice that, for many applications, there is only a single permission allowing a user to execute the application. As identity-aware applications have matured, how-ever, more sophisticated access control policies can be implemented. One example of such applications is represented by workflow and collaborative systems [Tolone et al. (2005)]. Files within operating systems also have their use regulated through access control decisions. Similar to databases, users can create, modify, or delete files according to the security requirements of the organization. 1.2.3 Authentication and Authorization Access control is an important component of identity and access manage-ment system. As mentioned earlier, there are two aspects related to access control: authorization and authentication. Authentication refers to deter-mining whether users are who they say they are. The ways in which some-one may be authenticated fall into (at least) three categories, based on what are known as the factors of authentication [Federal Financial Institutions Examination Council (2005)]: something you know, something you have, or 8 Managing Access Rights something you are. For example, bank ATMs require the presence of both a bank card and the knowledge of a personal identification number to access bank accounts and perform transactions. For most organizations, the most common technique is to require a username and password pair to verify a user’s identity.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  CISSP Guide to Security Essentials

  • Peter Gregory(Author)
  • 2014(Publication Date)
  • Cengage Learning EMEA

    (Publisher)

  Program permissions, such as the right to execute a program on an application server. Data rights, such as the right to retrieve or update information in a database. CISSP candidates should fully understand access control concepts, methodologies and their implementation within centralized and decentralized environments across an organization’s computing environment. Key areas of knowledge: Control access by applying concepts/methodologies/techniques Understand access control attacks Assess effectiveness of access controls Identify and access provisioning lifecycle (e.g., provisioning, review, revocation) Controlling Access to Information and Functions Computer systems, databases, and storage and retrieval systems contain information that has some monetary or intrinsic value. For this reason, the organization will take steps to control access to the information that it has collected and stored. Access controls are used to control access to information and functions. In simplistic terms, the steps undertaken are something like this: 1. Authentication : Reliably identify the subject (e.g., the person, program, or system); 2. Find out what object (e.g., information or function) the subject wishes to access; 3. Authorization : Determine whether the subject is allowed to access the object; 4. Access : Permit (or deny) the subject’s access to the object; 5. Accounting : Log the access that was requested. The actual practice of access control is far more complex than these five steps. This is due pri-marily to the high-speed, automated, complex, and distributed nature of information systems. Even in simple environments, information often exists in many forms and locations, and yet these systems must somehow interact and quickly retrieve and render the desired information, without violating any access rules that are in place.

  Sign up to read

  Learn more about book