Page 951 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 951

Access control addresses more than just controlling which users can
               access which files or services. It is about the relationships between

               entities (that is, subjects and objects). Access is the transfer of
               information from an object to a subject, which makes it important to
               understand the definition of both subject and object.

               Subject A subject is an active entity that accesses a passive object to
               receive information from, or data about, an object. Subjects can be
               users, programs, processes, services, computers, or anything else that

               can access a resource. When authorized, subjects can modify objects.
               Object An object is a passive entity that provides information to active

               subjects. Some examples of objects include files, databases,
               computers, programs, processes, services, printers, and storage media.



                          You can often simplify the access control topics by


                  substituting the word user for subject and the word file for object.
                  For example, instead of a subject accesses an object, you can think
                  of it as a user accesses a file. However, it’s also important to
                  remember that subjects include more than users and objects
                  include more than just files.



               You may have noticed that some examples, such as programs, services,
               and computers, are listed as both subjects and objects. This is because

               the roles of subject and object can switch back and forth. In many
               cases, when two entities interact, they perform different functions.
               Sometimes they may be requesting information and other times
               providing information. The key difference is that the subject is always
               the active entity that receives information about, or data from, the
               passive object. The object is always the passive entity that provides or
               hosts the information or data.


               As an example, consider a common web application that provides
               dynamic web pages to users. Users query the web application to
               retrieve a web page, so the application starts as an object. The web
               application then switches to a subject role as it queries the user’s
               computer to retrieve a cookie and then queries a database to retrieve
   946   947   948   949   950   951   952   953   954   955   956