These are my reading notes for Code Fellows
Access control minimizes the risk of authorized access to physical and computer systems, forming a foundational part of information security, data security and network security. (source)
An app that has sensitive data, and various levels of permissions. The CRM that Cullen Sharp and I built in week 2 of Code 401 is a good example. Salespeople and Account Managers had different levels of permissions that restricted how much data they could access (specifically for AM’s).
Roles are what limit the permissions. Using the CRM example, a salesperson had full CRUD permissions, whereas Account Managers could only RU.
When a user attempts to access a resource under Mandatory Access Control (MAC) the operating system checks the user’s classification and categories and compares them to the properties of the object’s security label. If the user’s credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classification and categories must match. A user with top secret classification, for example, cannot access a resource if they are not also a member of one of the required categories for that object… Discretionary Access Control (DAC) allows each user to control access to their own data. DAC is typically the default access control mechanism for most desktop operating systems… under DAC a user can only set access permissions for resources which they already own. A hypothetical User A cannot, therefore, change the access control for a file that is owned by User B. (source)
MAC is the most secure, but there are a lot of moving parts to make sure various user permissions line up with an object’s ‘security label’. That would make it difficult to scale quickly. DAC, on the other hand, is very limited in its scope. Role-based seems alleviate these issues.
Authorization is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. (source)
…assigns permissions to particular roles in an organization. Users are then assigned to that particular role. For example, an accountant in a company will be assigned to the Accountant role, gaining access to all the resources permitted for all accountants on the system. Similarly, a software engineer might be assigned to the developer role. (source)
Capabilities and access control lists (ACLs) actually have a fairly symmetric relationship: in an access control list model of security, the authorities are bound to the objects being secured; in the capabilities model, the authorities are bound to objects seeking access. (source)