Page 1022 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1022

and have an acronym. As an example, Role Based Access Control
                  (RBAC) has the first letter in each word as uppercase and is

                  abbreviated with the RBAC acronym.


               Attribute Based Access Control A key characteristic of the

               Attribute Based Access Control (ABAC) model is its use of rules that
               can include multiple attributes. This allows it to be much more flexible
               than a rule-based access control model that applies the rules to all
               subjects equally. Many software-defined networks use the ABAC
               model. Additionally, ABAC allows administrators to create rules
               within a policy using plain language statements such as “Allow

               Managers to access the WAN using a mobile device.”

               Mandatory Access Control A key characteristic of the Mandatory
               Access Control (MAC) model is the use of labels applied to both
               subjects and objects. For example, if a user has a label of top secret,
               the user can be granted access to a top-secret document. In this
               example, both the subject and the object have matching labels. When
               documented in a table, the MAC model sometimes resembles a lattice

               (such as one used for a climbing rosebush), so it is referred to as a
               lattice-based model.


               Discretionary Access Controls

               A system that employs discretionary access controls allows the owner,
               creator, or data custodian of an object to control and define access to

               that object. All objects have owners, and access control is based on the
               discretion or decision of the owner. For example, if a user creates a
               new spreadsheet file, that user is both the creator of the file and the
               owner of the file. As the owner, the user can modify the permissions of
               the file to grant or deny access to other users. Data owners can also
               delegate day-to-day tasks for handling data to data custodians, giving
               data custodians the ability to modify permissions. Identity-based

               access control is a subset of DAC because systems identify users based
               on their identity and assign resource ownership to identities.

               A DAC model is implemented using access control lists (ACLs) on
               objects. Each ACL defines the types of access granted or denied to
   1017   1018   1019   1020   1021   1022   1023   1024   1025   1026   1027