 access control. The prevention of unauthorized use of a resource including the prevention of a use of a resource in an unauthorized manner. So we want, we've got resources on our computer system. We want to prevent people who people and software that are not authorized to use those resources from doing so. That's the basics of access control. Control Who can access those resources? And it's related, access control is related to some other functions. So in a computer system, let's say we have the normal users that use that computer system. What we saw in the previous topic was how to authenticate users. So there's some function to authenticate users to make sure that this user is the right user who's allowed to access the system. Once we've authenticated them, so they're, for example, logged in with their username and password, we then may want to further control what they can do on the system. Our computer system has a set of resources, files, CPU, memory and we want to control which users can use those resources. And that's the role of access control. So we have system resources, databases, files, parts of files and we want to control which users can access them. So access control relies on authentication. It assumes someone's already been authenticated. We'll see that access control requires some initial setup to set up and to say which users are allowed to use which resources. So usually we need some administrator that sets up via some database, some authorizations that says user Steve is allowed to use these resources. User Tanarak is allowed to use these other resources. So this initial setup is done by some administrator and we can think that they set up this authorization information in some database. And when a user is authenticated to our computer system, the access control function uses this information, this authorization information, to control what the user can do on the system, which files they can access, for example. All of this we want to check that it works well. And the process of auditing is checking that access control authentication, the database have been set up correctly such that they implement the policies of our organization or of our computer system. So we have some overall policy or goal. For example, students cannot access this database about the grades. Faculty members that teach this course can access the student information who are taking that course but cannot access other student information. So we have some policies, some requirements for our organization. We try to implement them using these functions. Auditing is making sure that we are actually implementing those policies. We check. Is our access control actually controlling the resources correctly? Doing checks and logging to make sure it works correctly. So there are different related entities there. We know about some authentication functions. We're now going to focus on access control functions. So the other parts, authentication, check the user. Authorization, give some permissions. This user can access these files, authorize them. And in order, some review of the system to make sure that everything's working correctly. Let's look at access control. There are three main approaches called policies for access control. Discretionary, mandatory, and role-based access control. DAC, MAC, RBAC. And so we'll go through each of them with some examples. But discretionary access control, we have the identity of some user, someone who's requesting to access some resource. We have a set of rules. And we have those rules defined so that they determine which user, the person requesting access to a resource, what resources they can access. So what they're allowed to access. So we'll see that in some detail. Discretionary means that we'll see that it's up. The user is allowed to modify who can access particular resources. They have some discretion in changing these rules. We'll see that users may allow other users to access resources. The idea is if I have my own file on the computer system, I'm allowed to change that file, delete it. I may be able to grant someone else permission to also read that file. So that's the discretionary part in that users can allow other users to access some resources. In mandatory access control, you cannot do that. There's no ability for the normal users, the entities, to grant access to resource to others. It's stricter from that perspective. And in mandatory access control, we have what we call security labels and clearances. So resources have some label and users have some clearance. And the common example, and the main place it's used, if you think of some military organization or some defense organization which has clearance levels of classified secret, top secret. So different levels of security clearance. So someone who is cleared at secret should be able to read information or access resources which are secret or at any level below. But someone who's cleared at secret should not be able to read files which are top secret. So we have some levels of security. And users will have some clearance. And that will determine what resources they can access because resources are labeled with those levels as well. So we'll see an example of that as well. Role-based access control, we'll see that users are assigned roles. And then similar to discretionary access control, the control of who can access resources is based upon roles. For example, students are assigned the role student in the Moodle website. And a student on the Moodle website can do certain things like take a quiz for their course. But they cannot view the results of other students. Whereas the teacher role on the website can have different permissions than the student role. So the idea, and I'll show you an example with that one as well, that we can assign users to particular roles and control who can access resources based on those roles. So those are the three main types. Not mutually exclusive means that there's some overlap. We can have mechanisms that use concepts from each of these. So it's not we choose one of the three. In practice, we can implement access control using concepts from multiple. But we'll just cover the basics and explain the difference between those three. In all types of access control, we have some general requirements for it to work well. We need to meet these requirements. Reliable input means that the inputs that we need are correct. And the main input is that we need to make sure that most of the systems rely on some user identity. That is, we set up the system such that user Steve can access these files. The input in this case is to make sure that the actual logged in user is in fact Steve. And that's performed using authentication. So we assume authentication is reliable. It works. If authentication doesn't work, our access control will not work. That's the basics there. Fine and coarse specifications are generally required. That means that we should be able to say that if we think of resources as files, we should be able to say at a fine level, a particular user can access this particular file. So on a very detailed level. And a coarse level, we should be able to say, OK, this set of users can access this set of files. Rather than having to specify for every individual user and every individual file, we can do it on a coarse level and say, OK, this system allows these 100 users to access any of these 1,000 files. So that's a coarse level. We should be allowed to be very fine detailed in specifying who can access what, but also allow a very coarse specification of who can access what. We'll see some examples of that. We should try to set up an access control system that uses least privileges. And this is the principle that when we authorize users to do something, we give them the least privileges such that they can perform their job. So a student needs to be able to take a quiz. And say in an online system in Moodle, a student needs the privilege to be able to take a quiz and attempt the quiz. They don't need the privilege to be able to view other students' information. So we've set up the system to make sure that give the student as few privileges as possible such that they can perform their function. Another example, I'm a faculty member. I don't need to know the personal information and GPAs of students in other schools in SIT. I don't teach their students, so I don't need to know their information. So the system should be set up such that I don't have that access to those things. I only get the privileges that are necessary to perform my job. We'll see some examples of that as we go through. Separation of duty is often saying that, OK, again, you have a duty in your job. You're the faculty member, so you get these privileges. But sometimes you may be a faculty member and you may be the head of school. They have two different duties. A faculty member may teach particular courses and they need privileges to teach those particular courses. But as head of school, they need a different set of privileges. So we separate the duties that they have and assign access control based upon those separate duties. Open and close policies. This is think of the default. An open policy says that everyone can access everything and then assign rules that limit what people can access. Let's say the files on a shared computer system. An open policy would be to say every user can access every file. And then I would set some rules to limit, OK, this user cannot access file. This user cannot access file. And I would start to close the system. Whereas the opposite, a closed policy is to say that initially no user can access any files on my system. But then I would add rules to say this user can access this file. This user can access this file. So think of open and closed policies of what's our initial position? What's our default policy? We'll see some examples of that. Generally we start with closed policies. Policy combinations means that sometimes we have, so again, policies are our requirements, think from an organization perspective. And sometimes we have many different policies. We need to be able to implement an access control system that implements those policies and make sure that there are no conflicts. So one policy may say faculty members cannot access student GPA information, but another policy may allow faculty members to access GPAs of students. There's a conflict there, so we need to be able to deal with that somehow. Maybe we take the least privileged approach. Administrative policies just means that we need to be able to allow someone to admin the system. And we have some policies to make sure that the admin user doesn't do something bad. The admin user shouldn't set up the system so that anyone can access it. Dual control is that we should be allowed to have multiple admins. And multiple people can control the system. We'll see some of these requirements come up in specific examples as we go through the different policies. In the different types of access control, we have three basic elements, a subject, or subjects, objects, and access rights. Subjects are the entities capable of accessing resources. Usually there are software processes on computer systems, but often those software processes are run by human users, by users. So sometimes we think of the subject as a human, as a person, but usually it's a piece of software acting on behalf of that person. So when I run a command to copy a file, that software that implements the copy procedure must have permissions to copy that file. But that software is working on my behalf, the user's behalf, but the subject is the entity that can access the resource. Often we'll classify the subjects, and the three main classes we'll see, but there are others possible. An owner of a resource, a group that the subject is in, and everyone else, the rest of the world. Objects are the resources. So what do we want to control access to if we think of anything on a disk? Disk records, blocks on a disk, if you think of a file system, pages of memory. Files are the common example we'll use, but it doesn't just have to be files that we control. Portions of files, so I control who can access the first 100 lines of this particular file. Directories related to files, email boxes, software, communication capabilities of a computer system. So these are the resources. We will commonly use files as an example. It's the easiest one to think about. That is, think of your computer, you have a set of files on it, files and directories. You want to control who can access those files. How do we access them? Well, we have some right to do something on that file. So an access right describes how a subject can access an object. And some examples of rights are read. That is, think of a file, you can read the file, you can see the contents of the file. Write, you can modify the file. That is, you can open up the file and edit the file, changing it. Just reading the file doesn't mean you can modify the file. Execute, sometimes we talk about, we can execute a file, run a program. Delete objects, create new objects, search objects. So there are different possible access rights. Different systems will use a different set of access rights. The common ones will see a read, write and execute. But there are others possible. So we have a computer system with many resources. With multiple users or multiple subjects, we want to control which subjects can access which resources. And specifically the access can be defined by a set of rights. That's the concepts. Let's, in the last few minutes, just have a introduction to discretionary access control. And let's go straight to an example. We have, imagine on a computer system we have a set of objects. In this case, four files are our objects. Four files on a hard disk. We have a set of subjects, three users, user A, B and C. And then we have a set of access rights. And in this case, the rights are distinguished as, distinguished as own, read and write. This matrix specifies the access control system. It says that user A owns file one and file three. They can read those files, which means they can open them up and see the contents of the file. And they can write to that file, which means normally that they can edit the file and also often includes deleting the file. Writing, if you can edit a file, it means you can edit it and remove the contents, which is effectively deleting the file. So this is saying for these two files, user A can do these operations. User B can do these operations or has these access rights. For file one, which is owned by user A, user B can also read the file. They cannot write to the file. So they can see the contents, but they cannot modify the contents. They own, can read and write file two, file three, they can write to it. And normally writing includes the ability to read. Because if you want to modify the contents of the file, you need to be able to read the contents of the file. So it's common to assume, read means just see the contents of the file. Write means see the contents of the file and modify the contents of the file. And user C has these access rights. So this is the basics of discretionary access control. We have a set of objects to control access to. We have a set of subjects who want to be able to access those objects. And we have access rights and we define who can access what. And this is done in a matrix. We'll see there are other ways to define it. But that's the basics. Again, if we're the owner, so it depends upon what the definition of these access rights are as to what ownership really means. It may mean that we can read and write the file. But we could be the owner of the file and not be able to write the file. What that could mean is the owner may mean we're allowed to change the access rights on this file. Let's say user C has the access right own on a file for, but not the access right, read or write. What that may mean is that currently user C cannot read this file. They cannot see the contents, but they own it. What ownership commonly means is that if you own the file, you can change the access rights on the file. So the user C could change file four such that they can read the file or they can write the file. Or user C could change file four such that another user can read and write the file. So ownership commonly means we can change the access rights. And this is, remember, discretionary access control. Users are allowed to change the access rights on the resources. They have some discretion to do so. Immandatory access control, we don't allow that. You see this on many operating systems. Most operating systems you use have this form of access control and basic on file systems. If we have many files, thousands of files on your computer system and many subjects, many users, then it becomes inefficient to create such a matrix because we have to list every file, 100,000 files, and for every user identify the access rights. So we commonly think of this information and store it not in a matrix, but in a, maybe a list. So this is just the data structure represent that same information. So, exactly the same rights in this diagram. For example, user A, own, read and write, file one. Just store it in a different data structure. Here, file one, we have some data structure, a list that says for user A, on this file, they own, read and write. User B can read this file. User C can read and write this file. For file two, we have B and C have some access rights. So it's just a different way to specify that same information in a more compact form. But it's the same access rights you can check. So that's in a list. Another way is in capability list. So this is a list of, for each file, we say which users can access that file. The other way is to say, for each user what files they can access. So the three diagrams are all the same, but just representing in different way. So user A can access these three, these two files, and these are their access rights. User B can access four files and their access rights for those particular files. You can check that and see that they're all identical. Normally your operating system or your file system on your computer will store data structures similar to access control lists or capability lists, those are compact forms. Okay, that's the start on access control. We want to make sure certain users cannot access certain resources. That's the idea. Control who can access what resources. And we've started and we've introduced discretionary access control. Next lecture we'll look at the other two approaches and just summarize on this one. And then we'll show some examples on the Linux file system and see how it works there. So enough for today.