Page 500 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 500
of access control can be accomplished by storing on each subject a list
of rights the subject has for every object. This effectively gives each
user a key ring of accesses and rights to objects within the security
domain. To remove access to a particular object, every user (subject)
that has access to it must be individually manipulated. Thus,
managing access on each user account is much more difficult than
managing access on each object (in other words, via ACLs).
Implementing an access control matrix model usually involves the
following:
Constructing an environment that can create and manage lists of
subjects and objects
Crafting a function that can return the type associated with
whatever object is supplied to that function as input (this is
important because an object’s type determines what kind of
operations may be applied to it)
The access control matrix shown in Table 8.1 is for a discretionary
access control system. A mandatory or rule-based matrix can be
constructed simply by replacing the subject names with classifications
or roles. Access control matrixes are used by systems to quickly
determine whether the requested action by a subject for an object is
authorized.
TABLE 8.1 An access control matrix
Subjects Document Printer Network folder
file share
Bob Read No Access No Access
Mary No Access No Access Read
Amanda Read, Write Print No Access
Mark Read, Write Print Read, Write
Kathryn Read, Write Print, Manage Print Read, Write,
Queue Execute
Colin Read, Write, Print, Manage Print Read, Write,
Change Queue, Change Execute, Change
