Wednesday, May 9, 2007

Access Control Overview

Controlling access to resources is on of the central themes of security. Access control address more than just controlling which users can access which files or services. Access control is about the relationships between subjects and objects. The transfer of information from and object to a subject is called access. However, access is not just a logical or technical concept; don't forget about the physical realm where access can be disclosure, use, or proximity. A foundational principle of access control is to deny access by default if access is not grated specifically to a subject.

Subjects are active entities that, through the exercise of access, seek information about or data from passive entities, or objects. A subject can be a user, program, process, file, computer, database, and so on. An object can be a file, database, computer, program, process, file, printer, storage media, and so on. The subject is always the entity that alters information about or data stored within the object. The object is always the entity that provides or hosts the information of data. The roles of subject and object cans switch as two entities, such as a program and a database or a process and a file, communicate to accomplish a task.