Skip to main content
Milav
  1. Resources/
  2. Study Materials/
  3. Information & Communication Technology Engineering/
  4. ICT Semester 5/
  5. Cyber Security (4353204)/

6 mins· ·
Milav Dabgar
Author
Milav Dabgar
Experienced lecturer in the electrical and electronic manufacturing industry. Skilled in Embedded Systems, Image Processing, Data Science, MATLAB, Python, STM32. Strong education professional with a Master’s degree in Communication Systems Engineering from L.D. College of Engineering - Ahmedabad.
Authorization Methods

Authorization Methods

Key Approaches to Access Control

Implementing Effective Permission Systems

Authorization Methods Overview

Authorization Methods Overview

Authorization Methods are the specific techniques and frameworks used to implement access control policies, determining how permissions are assigned, managed, and enforced in computer systems.

Key Methods We'll Explore:

  • Discretionary Access Control (DAC)
  • Mandatory Access Control (MAC)
  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Rule-Based Access Control
  • Context-Aware Access Control

Discretionary Access Control (DAC)

DAC Principle: Resource owners have discretionary control over who can access their resources and what permissions to grant.

Key Features:

  • Owner-controlled permissions
  • Flexible access management
  • User discretion in sharing
  • Identity-based decisions

Common Implementations:

  • File system permissions
  • Database table ownership
  • Application-level sharing
  • Cloud storage permissions
Example: In Windows/Linux file systems:
Owner: Alice can read/write/execute file.txt
Alice grants Bob read permission
Alice grants Charlie read/write permission
Everyone else: No access

DAC: Pros and Cons

Advantages:

  • Simple and intuitive
  • Flexible for users
  • Low administrative overhead
  • Widely supported
  • Good for collaborative environments

Disadvantages:

  • Vulnerable to Trojan horses
  • Difficult to enforce policies
  • Limited centralized control
  • Data leakage potential
  • Inconsistent security levels
Best For: Small organizations, personal systems, collaborative environments where trust is high

Mandatory Access Control (MAC)

MAC Principle: System enforces access control policies based on security labels and clearance levels. Users cannot override system policies.
Security Labels Example:

Classification Levels:
Top Secret (Level 4)
Secret (Level 3)
Confidential (Level 2)
Unclassified (Level 1)

Access Rule: User can access data at their level or below
User with "Secret" clearance can access "Secret," "Confidential," and "Unclassified" but NOT "Top Secret"

MAC Implementation Details

Key Components:

  • Security Labels: Classifications assigned to subjects and objects
  • Security Policy: Rules defining label interactions
  • Reference Monitor: System component enforcing policies
  • Trusted Computing Base: Secure kernel managing access

Advantages:

  • Strong security enforcement
  • Prevents unauthorized disclosure
  • Centralized policy control
  • Suitable for high-security environments

Disadvantages:

  • Complex to implement
  • Inflexible for users
  • High administrative costs
  • Limited commercial adoption

Role-Based Access Control (RBAC)

RBAC Principle: Access permissions are assigned to roles, and users are assigned to roles based on their job responsibilities.
Corporate RBAC Example:

Roles Defined:
• Employee: Basic system access, email, time tracking
• Manager: Employee permissions + budget reports, staff schedules
• HR Specialist: Employee permissions + personnel files, benefits
• IT Administrator: All permissions + system configuration

User Assignments:
John (Sales Manager) → Manager Role
Sarah (HR Specialist) → HR Specialist Role
Mike (System Admin) → IT Administrator Role

RBAC Core Components

RBAC Elements:

  • Users: Human beings or automated agents
  • Roles: Job functions or titles within organization
  • Permissions: Access rights to resources and operations
  • Sessions: User activating a subset of assigned roles
  • Role Hierarchy: Senior roles inherit junior role permissions

RBAC Advantages:

  • Simplified administration
  • Principle of least privilege
  • Separation of duties
  • Scalable for large organizations
  • Industry standard

RBAC Challenges:

  • Role explosion problem
  • Static nature of roles
  • Context insensitive
  • Complex role hierarchies
  • Role mining difficulty

Attribute-Based Access Control (ABAC)

ABAC Principle: Access decisions based on attributes of users, resources, actions, and environmental conditions through policy evaluation.
ABAC Policy Example:

Allow access to patient records IF:
• User.Department = "Medical" AND
• User.Certification = "Active" AND
• Resource.Type = "PatientRecord" AND
• Time.Hour BETWEEN 06:00 AND 22:00 AND
• Location.Zone = "Hospital" AND
• (Patient.AssignedDoctor = User.ID OR User.Role = "Emergency")

Dynamic Evaluation: Every access request evaluates all conditions in real-time

ABAC Architecture

ABAC Components:

  • Policy Enforcement Point (PEP): Intercepts access requests
  • Policy Decision Point (PDP): Evaluates policies and makes decisions
  • Policy Information Point (PIP): Provides attribute information
  • Policy Administration Point (PAP): Manages policy creation
  • Attribute Store: Repository of attribute values

ABAC Advantages:

  • Fine-grained control
  • Dynamic and context-aware
  • Flexible policy expression
  • Supports complex scenarios
  • Future-proof approach

ABAC Challenges:

  • Complex implementation
  • Performance overhead
  • Policy debugging difficulty
  • Attribute management
  • Learning curve

Rule-Based Access Control

Rule-Based Principle: Access decisions based on predefined rules that specify conditions under which access is granted or denied.
Firewall Rule Example:

Rule 1: ALLOW HTTP traffic from internal network to external network
Rule 2: DENY all traffic from suspicious IP ranges
Rule 3: ALLOW SSH traffic only from admin subnet
Rule 4: DENY all other traffic (default deny)

Database Rule Example:
Rule: Allow SELECT on customer table IF user_role = 'sales' AND time BETWEEN '08:00' AND '18:00'
Common Applications: Firewalls, database systems, workflow systems, network access control

Context-Aware Access Control

Context-Aware Principle: Access decisions consider environmental and situational context beyond traditional user credentials.

Context Factors:

  • Temporal: Time of day, day of week, business hours
  • Spatial: Physical location, IP address, network zone
  • Device: Device type, security posture, trust level
  • Behavioral: Usage patterns, anomaly detection
  • Risk: Threat intelligence, risk scoring
  • Environmental: Network congestion, security alerts
Context-Aware Example:
Normal office hours + corporate device + usual location = Standard access
Weekend + personal device + foreign country = Enhanced authentication required

Hybrid Authorization Models

Combining Multiple Methods:

  • RBAC + ABAC: Role-based foundation with attribute refinements
  • DAC + MAC: Discretionary controls within mandatory boundaries
  • RBAC + Rule-Based: Role permissions enhanced with conditional rules
  • Context-Aware + ABAC: Attribute-based decisions with environmental factors
Hybrid Example:
Base: RBAC assigns "Doctor" role with patient record access
Enhancement: ABAC adds conditions - only assigned patients, during work hours
Context: Risk-based adjustments for unusual access patterns

Choosing Authorization Methods

MethodBest ForComplexityFlexibilityPerformance
DACSmall teams, file sharingLowHighExcellent
MACMilitary, classified systemsHighLowGood
RBACEnterprises, standard appsMediumMediumGood
ABACComplex environmentsHighVery HighVariable
Rule-BasedNetwork security, workflowsMediumMediumGood

Implementation Best Practices

  1. Start Simple: Begin with RBAC, evolve to ABAC if needed
  2. Define Clear Policies: Document authorization requirements
  3. Regular Reviews: Audit permissions and roles periodically
  4. Least Privilege: Grant minimum necessary permissions
  5. Separation of Duties: Divide critical functions
  6. Monitor and Log: Track all authorization decisions
  7. Test Thoroughly: Validate policies before deployment
  8. Plan for Exceptions: Handle emergency access scenarios

Common Implementation Pitfalls

Avoid These Mistakes:

  • Over-Engineering: Choosing complex methods for simple needs
  • Role Explosion: Creating too many specific roles in RBAC
  • Policy Conflicts: Contradictory rules in complex systems
  • Performance Neglect: Ignoring authorization overhead
  • Poor Documentation: Inadequate policy documentation
  • Static Thinking: Not adapting to changing requirements
  • Testing Gaps: Insufficient authorization testing
  • Emergency Planning: No backup access procedures

Future of Authorization Methods

  • AI-Enhanced Authorization: Machine learning for dynamic policies
  • Zero Trust Authorization: Continuous verification approach
  • Blockchain-Based Access: Decentralized authorization systems
  • Privacy-Preserving Methods: Authorization without data exposure
  • Intent-Based Access: Access based on user intentions
  • Quantum-Safe Authorization: Post-quantum cryptographic methods
  • Edge-Computing Integration: Authorization at the network edge

Key Takeaways

  • Different authorization methods suit different organizational needs
  • RBAC is most widely adopted for enterprise environments
  • ABAC provides finest-grained control but increases complexity
  • Hybrid approaches often provide optimal solutions
  • Context-aware authorization is increasingly important
  • Implementation should start simple and evolve
  • Regular review and maintenance are essential
Remember: The best authorization method balances security requirements, organizational complexity, and user experience

Thank You

Questions & Discussion

Next: Types of Attacks