Question

In: Operations Management

here are several access control models and in class we learnt specifically about 3 flavors: Mandatory...

here are several access control models and in class we learnt specifically about 3 flavors: Mandatory Access Control (MAC), Role Based Access Control (RBAC), and Discretionary Access Control (DAC). In your own words differentiate these 3 models. Your answer should include a specific example where a specific model is best.

Solutions

Expert Solution

MAC:Mandatory Access control:It is based on a system-wide policy decides who is allowed to have access, individual user dont have rights to alter that access.It relies on the system to control access.This mechanisms have been tightly coupled to a few security models. Few system that supports flexible security mechanism has started using this.

DAC:Discretionary Access control: It is where user can put an access control mechanism to to allow or deny access to an object . it is most widely used in main stream operating system because of its flexibilty.It has several drawbacks also, since DAC let users to decide the access control policies on their data, it faces consistency issue when there is global policy .At a point of time when there malicious program get access, that malicious program running by the owner can change DAC policies on behalf of the owner.

Role Based Access Control (RBAC):In an organization, there are various job functions based on that roles are defined. The permissions to perform certain operations are assigned to specific roles. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account , this simplifies common operations, such as adding a user, or changing a user's department.It enables you to control the access at any level.

For example: if a user belongs to HR function, he will be assigned the rights,access of the sites that is really their need like naukri.com, monster.com etc. They dont need a marketing sites to access similarly a marketing guy does not need to have access of Job sites. So there should be a policy based on the role of HR.There can be a deeper level access control put into place.This is just to make you understand the role based access.

Role based access being widely used in Microsoft Exchange Server 2013

Rule Based Access Control (RBAC):This is to increase the application security.A rule based access control will dynamically assign roles to users based on criteria defined by the custodian or system administrator. For example, if someone is only allowed access to files during certain hours of the day, rule based access control would be the tool of choice.

ADDITIONAL INFO:

(a) Mandatory Access Control (MAC):

Advantages:

(i) Higher level of security due to one administrator to control the access.

(ii) Reduction of security errors.

Disadvantages:

(i) Not flexible.

(ii) Difficult to implement.

(b) Discretionary Access Control (DAC)

Advantages:

(i) Access type can be defined.

(ii) Object ownership transfer between users.

(iii) Access is restricted after several failed attempts.

Disadvantages:

(i) Inherent threats like Trojan horses.

(ii) Difficult to maintain the grant and revoke permissions.

(c) Role Based Access Control (RBAC)

Advantages:

(i) The requirement for support and administration is less.

(ii) Operational efficiency is high.

(iii) Low cost.

Disadvantages:

(i) Network access monitoring is difficult.

(d) Rule Based Access Control (RBAC)

Advantages:

(i) Provides high flexibility.

(ii) Low cost.

Disadvantages:

(i) Difficult to maintain the deny list.


Related Solutions

1. In class we learnt about the broad classifications of financial markets. How will you explain...
1. In class we learnt about the broad classifications of financial markets. How will you explain any three of these classifications to your friends in history department? 2. Why are financial markets so keenly regulated? Explain the rational for the regulation of financial markets in Ghana, providing cogent examples of such regulations within the Ghanaian financial market. 3. Describe the requirements for listing on the Ghana Alternative Exchange (GAX) relative to the first official listing requirements. 4. Expatiate on the...
1. In class we learnt about the broad classifications of financial markets. How will you explain...
1. In class we learnt about the broad classifications of financial markets. How will you explain any three of these classifications to your friends in history department?
Consider using mandatory access controls and compartments to implement an ORCON control. Assume that there are...
Consider using mandatory access controls and compartments to implement an ORCON control. Assume that there are k different organizations. Organization i will produce n(i, j) documents to be shared with organization j. a. How many compartments are needed to allow any organization to share a document with any other organization? b. Now assume that organization i will need to share nm(i, i1, ..., im) documents with organizations i1, ..., im. How many compartments will be needed?
Access control" - Several "Access control" best practices were introduced this week. What is the goal...
Access control" - Several "Access control" best practices were introduced this week. What is the goal of "Access control"? Which "Access control" best practices would you recommend be implemented in a company accounting department?
9. Modify the quicksort and mergesort programs we learnt during the class to count the number...
9. Modify the quicksort and mergesort programs we learnt during the class to count the number of element comparisons for the two sorting methods. Use the following test drive to test them. public class Sorts {    int numComparisions = 0;    public void quicksort(int [] x, int l, int h)    { // your modifies codes go here    }    public void mergesort(int [] x, int l, int h)    { // your modifies codes go here   ...
In class, we have read about and discussed two distinct “development models” that were common in...
In class, we have read about and discussed two distinct “development models” that were common in the second half of the 20th century: (1) Import Substitution Industrialization (ISI) and (2) Export Oriented Industrialization (EOI). In what ways were ISI and EOI similar? In what ways were they different? Which approach was ultimately more successful at promoting industrialization? Why? Use historical examples to make your case.
What kinds of access control models are most central to securing critical health data?
What kinds of access control models are most central to securing critical health data?
Assignment: Using what we have learnt about the price elasticity of demand, and what we remember...
Assignment: Using what we have learnt about the price elasticity of demand, and what we remember about short run and long run price elasticities (Chapter 2 of Perloff (2017)), along with substitution and income effects (Chapter 4 of Perloff (2017)) as a guide, choose a particular product (good or service) which you or your family purchased during the recession of 2007 – 2009, or choose a particular good which you or your family purchased at least 2 years ago (before...
Frito-Lay, Inc. now manufactures Cheetos Crunchy brand snacks in several flavors. We have measured the snacks...
Frito-Lay, Inc. now manufactures Cheetos Crunchy brand snacks in several flavors. We have measured the snacks by snack length in mm using regular original flavor snacks in small 1oz servings. An additional flavor, "Flaming Hot", available also in 1 oz servings has also been selected. Two bags of each flavor have been measured and classified. The two bags of each flavor have been measured and classified. The two bags are necessary to achieve a suitable total number and have been...
In Chapter 3 you learned about COSO's internal control framework. In this chapter, we took a...
In Chapter 3 you learned about COSO's internal control framework. In this chapter, we took a look at COSO's enterprise risk management framework. COSO went to great lengths to explain why the ERM framework was needed and how it relates to the internal control framework. Read their explanation at the COSO web site. Open your browser and type the address as www.coso.org There is a thought paper on the home page you may find helpful. Are both frameworks needed? Do...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT