๐ Core Types of Server Access Control: DAC, MAC, and RBAC
Summary
A deep dive into the three main models of server access control: Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC), comparing their concepts, features, and pros and cons.
๐ Server Access Control Comparison Summary of the Three Models
| Category | Discretionary (DAC) | Mandatory (MAC) | Role-Based (RBAC) |
|---|---|---|---|
| Control Subject | Object Owner | System (Admin Policy) | Role (Admin Policy) |
| Permission Setup | Owner's discretion | Security levels & rules | Permissions assigned to roles |
| Flexibility | High | Low | Medium |
| Security Level | Low | Very High | High |
| Admin Complexity | Low | Very High | Medium |
| Primary Use Case | Personal computers, small systems | Military, government, high-security systems | Most enterprises, cloud environments |
Each access control model has unique characteristics, advantages, and disadvantages. Therefore, it is crucial to select the appropriate model or combine multiple models based on the system's purpose and required security level.
๐ง What is Server Access Control?
Simply put, Server Access Control is a fundamental security principle that defines and enforces 'who can do what, and how'. It ensures the confidentiality, integrity, and availability of a system by granting authorized users access to necessary information and functions while blocking unauthorized users.
There are several models for implementing access control, with the three most representative being DAC, MAC, and RBAC. Let's explore the features and differences of each model.
๐ Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is a model where the owner of a data object (like a file or directory) can grant or restrict access to other users at their discretion. It's the model most of us are familiar with.
-
Core Feature: The object owner manages access permissions.
-
Key Examples:
- UNIX/Linux File Permissions: Using the
chmodcommand, a file owner can set read (r), write (w), and execute (x) permissions for other users (Owner, Group, Other). This is a classic example of DAC. - Windows File Sharing: Granting sharing permissions to specific users in a folder's properties also falls under DAC.
- UNIX/Linux File Permissions: Using the
-
Advantages:
- Flexibility: Users can manage permissions autonomously, making it convenient and flexible.
- Simplicity: It's easy to set up without a central administrator, making it suitable for small-scale systems.
-
Disadvantages:
- Security Vulnerability: If a malicious user gains privileges, they can easily pass those privileges on to others (e.g., vulnerable to Trojan horse attacks).
- Difficulty in Central Management: It's hard to apply a consistent security policy across an entire organization.
๐ก๏ธ Mandatory Access Control (MAC)
Mandatory Access Control (MAC), unlike DAC, enforces access based on strict security policies (rules) predefined by a system administrator. The system controls access regardless of the user's wishes.
-
Core Feature: Access is controlled based on a system-wide security policy and security levels.
-
Key Examples:
- SELinux (Security-Enhanced Linux): A security module that implements MAC in the Linux kernel, controlling access by attaching security labels to all processes and files.
- Military and Government Systems: Security levels like 'Confidential' or 'Top Secret' are assigned to users (security clearance) and information (security classification). Users cannot access information with a higher classification than their clearance level.
-
Advantages:
- Strong Security: Centrally controlled policies effectively prevent information leakage and provide a very high level of security.
- Consistency: A consistent security policy can be enforced throughout the organization.
-
Disadvantages:
- Complexity and Inflexibility: Configuration and management are very complex, and it's difficult to change policies once they are set.
- Administrative Overhead: Assigning and managing security levels for all subjects and objects is costly.
๐งโ๐คโ๐ง Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) grants access permissions based on the 'role' a user belongs to, rather than the individual user. It is the standard access control model used in most corporate environments today.
-
Core Feature: Controls access through the relationship: 'User โ Role โ Permission'.
-
Key Examples:
- AWS IAM (Identity and Access Management): Roles like 'Developer', 'Administrator', or 'Finance Team' are created, and necessary permissions (Policies) are assigned to each role. Users are then assigned a role to exercise those permissions.
- Database Management Systems: Roles like
DBA,Developer, andUserare defined, and permissions such asSELECT,INSERT,DELETEon tables are granted to these roles.
-
Advantages:
- Management Efficiency: When a user's status changes (new hire, resignation, department transfer), you only need to assign or revoke a role instead of resetting permissions, making administration highly efficient (administrative scalability).
- Adherence to the Principle of Least Privilege: It's easy to implement the 'Principle of Least Privilege' by granting only the necessary permissions to a role.
- Policy Consistency: Since permissions are managed based on roles, it's easier to apply organizational policies consistently.
-
Disadvantages:
- Initial Design Complexity: It requires time and effort to analyze an organization's duties and responsibilities to design appropriate roles.
- Role Explosion: If roles become too granular or numerous, management can become complicated.