Manuals / HP / Computer Equipment / Software

HP UX 11i Role-based Access Control (RBAC) Software manual Access Control Basics

Models: UX 11i Role-based Access Control (RBAC) Software

1 84
Download 84 pages 13.76 Kb
Page 28
Image 28

Access Control Basics

The goal of an access control system is to limit access to resources based on a set of constraints. Typically, these constraints and their associated attributes fit into the following categories:

Subject: The entity attempting to access the resource. In the context of an operating system, the subject is commonly a user or a process associated with a user.

Operation: An action performed on a resource. An operation can correspond directly to an application or a command. In the case of HP-UX RBAC, the operation is a dot-separated, hierarchical string, such as hpux.user.add.

Object: The target of the operation, which is often the same as the end resource, but which can be different.

An access control request can be thought of as a question combining the previous elements, where the response to the question (usually allow or deny) determines whether access to the resource is granted. For example:

Is the user ron authorized to perform the operation hpux.fs.mount on the object/dev/dsk/c0t1d0?

Often, the term authorization is used as a synonym for access control. In HP-UX RBAC, authorization refers to the ability to perform an operation on an object. As shown in

Table 3-1 “Example of Authorizations Per User”, a user can have a set of authorizations, each of which allows access to a resource.

Table 3-1 Example of Authorizations Per User

Operation Component of Authorization

Users

 

 

 

 

ron

lisa

jim

liz

hpux.user.add

 

 

 

 

hpux.user.delete

 

 

 

 

hpux.user.modify

 

 

 

 

hpux.user.password.modify

hpux.network.nfs.start

 

 

 

hpux.network.nfs.stop

 

 

 

hpux.network.nfs.config

 

 

 

hpux.fs.backup

 

 

hpux.fs.restore

 

 

NOTE: Table 3-1 “Example of Authorizations Per User” shows only the operation element of the authorizations—not the object element of the authorizations.

Simplifying Access Control with Roles

The preceding overview of access control does not address how access control policy is represented and how decisions are made. One approach is to simply maintain a list of users and the authorizations (operation, object pairs) assigned to each of them. This approach has the advantage of being flexible, because each user's set of authorizations can be completely different from those of the other users.

Unfortunately, this approach is also difficult to manage because as you add users, you must determine exactly which authorizations each user requires. Also, when performing audits, you must examine each user individually to determine his or her associated authorizations.

28 HP-UX Role-Based Access Control

Page 27 Page 29
Page 28
Image 28
HP UX 11i Role-based Access Control (RBAC) Software manual Access Control Basics, Simplifying Access Control with Roles
Page 27 Page 29