Chapter 97 · Flashcards

Access Controls — Flashcards

Eleven cards covering the principle of least privilege, MAC with government classification labels, DAC with owner control and its weakness, RBAC and implicit group rights, rule-based access control with ACL conditions, ABAC as next-generation multi-attribute model, time-of-day restrictions, and comparative model selection. Click any card to flip it.

What is the principle of least privilege, and what four implementation mechanisms support it?

Least privilege: every user, process, and system should have access only to the resources required for their specific job function, and nothing more. Four implementation mechanisms: (1) Role-based provisioning — access determined by job role, not individual request. (2) Regular access reviews — certifying that current permissions match current responsibilities. (3) Just-in-time access — temporary elevation for specific tasks; no permanent privileged access. (4) Separation of duties — no single person can perform a sensitive action AND conceal it.

What is Mandatory Access Control (MAC), who sets permissions, and why can users not change labels?

MAC is an access control model where the OS enforces access based on security classification labels assigned by a system administrator. Labels are assigned to both subjects (users) and objects (files/resources). Users cannot change labels — even the file owner cannot downgrade the classification or grant access to users with insufficient clearance. The security kernel makes all decisions. This prevents unauthorized disclosure regardless of user intent. Use case: government and military systems using Confidential, Secret, and Top Secret classifications. MAC provides the highest security strength of all models.

What is Discretionary Access Control (DAC), and what is its primary security weakness?

DAC is an access control model where the resource owner controls access permissions. The file or resource creator can grant and revoke access to others as they choose. This is the default model in most commercial operating systems (Windows NTFS, Linux file permissions). Primary weakness: security is only as strong as every owner's individual access decisions. Owners may inadvertently share sensitive data, may not understand the sensitivity of their resources, or may intentionally share improperly. There is no central oversight of sharing decisions. MAC prevents this weakness by removing user discretion entirely.

What is Role-Based Access Control (RBAC) and what does "implicit rights through group membership" mean?

RBAC assigns access rights to roles (groups) rather than individual users. Users gain access by being assigned to a role; the role defines all accessible resources. Implicit rights: access is NOT individually granted to the user for each resource — it is inherited automatically through group membership. In Windows Active Directory: adding a user to the "Finance" security group automatically grants all permissions the Finance group has, without any additional individual grants. Changing group permissions affects all group members simultaneously. RBAC is the most common enterprise access model; it is scalable and supports least privilege through role design.

What is Rule-Based Access Control, and how does it differ from RBAC?

Rule-Based Access Control uses system-enforced conditions in Access Control Lists (ACLs) evaluated automatically for every access attempt. Rules can be based on: time of day, IP address range, day of week, browser type, geographic location, or any evaluable attribute. Classic example: firewall ACLs that allow or deny traffic based on source IP, port, and protocol. Key difference from RBAC: RBAC is about WHO you are (your role/group). Rule-based is about CONDITIONS that must be met (time, location, device). RBAC: user must be in Finance group. Rule-based: access only from 172.16.0.0/16, only on weekdays, only 8AM-6PM.

What is ABAC, what four attribute categories does it evaluate, and why is it called next-generation?

ABAC (Attribute-Based Access Control) evaluates multiple attributes simultaneously from four categories: Subject (role, department, clearance, employment status), Object (classification, data type, sensitivity), Environment (time, date, IP, location, device type, network type), Action (read, write, delete, execute). Called next-generation because it makes dynamic, context-aware decisions that change based on the full situation at access time — traditional models make static decisions. Same user can be granted access from the office but denied from home; same file can be accessible during business hours but blocked after hours. Used in zero-trust architectures.

What are time-of-day restrictions, what access control model do they implement, and how do they limit stolen credential damage?

Time-of-day restrictions limit when an account can authenticate, regardless of credential validity. A call center employee who works 9AM-5PM has login attempts outside those hours rejected even with the correct password. Implements rule-based access control — a system-enforced condition evaluated at every login attempt. Limiting stolen credential damage: an attacker who steals the employee's password cannot use it at 3AM because the time restriction blocks the authentication. This shrinks the attack window from 24 hours/day to only the 8 hours when the account is allowed to be active. Also reduces automated attack windows.

Compare MAC and DAC: who sets permissions, can users change them, and what is each model's primary use case?

MAC: System administrator sets classification labels. Users CANNOT change labels or grant access beyond their clearance level. OS kernel enforces all decisions. Use case: government, military, classified data systems. High security. DAC: Resource owner sets permissions. Users CAN grant/revoke access to others at their discretion. File system ACLs enforced by OS but owner-managed. Use case: commercial OS environments (Windows NTFS, Linux file permissions), general enterprise use. Moderate security — depends on owner decisions. The key exam differentiator: MAC removes user discretion; DAC gives it to the owner.

A scenario describes: "User's access changes based on whether they are connecting from VPN, what time it is, their job role, and whether they are reading or deleting." Which access control model is this, and why isn't it RBAC?

This is ABAC. The indicators are: multiple simultaneous attribute categories being evaluated (network = environment attribute, time = environment attribute, job role = subject attribute, read vs. delete = action attribute). Access decisions change dynamically based on any attribute changing. Why it is not RBAC: RBAC only considers the user's role/group membership. RBAC does not natively evaluate network origin, time of day, or action type for access decisions. RBAC would grant a physician access to patient records always, from anywhere, for any operation. ABAC grants access only when all conditions are met simultaneously — from the hospital VPN, during business hours, for the specific patient, for read operations only.

Which access control model is used in zero-trust architectures, and why do the other models not satisfy zero-trust requirements?

ABAC is the model used in zero-trust architectures. Zero-trust requires: never implicit trust, always verify, evaluate every request based on full context. Why others fail zero-trust: MAC uses static labels (not context-aware). DAC depends on owner discretion (not policy-driven). RBAC grants access based only on role membership — an insider threat using a valid account is always trusted if they have the right group membership. Rule-based checks conditions but typically evaluates them independently rather than as a combined policy. ABAC evaluates every access request against the full current context (who, what, when, where, how) at decision time — the zero-trust model.

What are the five access control models in order from most rigid/centralized to most flexible/distributed?

Most rigid/centralized → Most flexible/distributed: (1) MAC — system admin controls everything; users have zero discretion; immutable classification labels. (2) Rule-Based — admin writes rules; system enforces automatically; conditions are fixed by policy. (3) RBAC — admin assigns users to roles; role defines access; scalable but coarse-grained. (4) ABAC — policy engine evaluates full context dynamically; highly granular but complex to manage. (5) DAC — resource owner decides; most flexible; weakest security. Exam pattern: MAC = maximum rigidity; DAC = maximum flexibility but minimum centralized security enforcement.