Introduction :-
Authentication and authorization, although often confused, serve distinct purposes. Authentication verifies the identity of a user, whereas authorization determines the user’s level of access.
Types of broken access control :-
- Vertical Access Control
- Horizontal Access Control
- Context-Dependent Access Control
1. Vertical Access Control :-
Vertical access control mechanisms limit access to critical functions based on user types.
In vertical access control, varying user types are granted access to specific application functions. For instance, an administrator may have permissions to modify or delete any user account, whereas a standard user does not possess such capabilities.
The diagram illustrates that admin users can access resources and functions requiring administrative privileges, while regular users can only access resources and functions designed for user-level privileges. Users are restricted from accessing resources and functions that demand admin privileges due to vertical access control.
2. Horizontal Access Control
Horizontal access control mechanisms limit access to resources to users who are explicitly authorized to access those resources.
In horizontal access control, different users are granted access to a specific subset of resources of the same type. For instance, within a banking application, a user can view transactions and make payments from their own accounts but cannot access accounts belonging to other users.
The diagram illustrates that each user can access their own designated resources and perform related actions. However, users cannot access resources or perform actions associated with other users, even if they have the same privilege level as regular users. This exemplifies horizontal access control.
3. Context-Dependent Access Control
Context-dependent access control mechanisms limit access to functionality and resources based on the state of the application or the user’s interactions with it. These controls prevent users from performing actions in an incorrect sequence.
Access Control Security Models
Role-Based Access Control (RBAC) :-
Role-Based Access Control (RBAC) relies on individuals’ roles and responsibilities within an organization or user base to make access decisions. Defining roles typically involves analyzing the organization’s goals and structure, and is closely tied to the security policy.
For example, in a medical setting, user roles might include doctors, nurses, attendants, and patients. Each role requires different levels of access to perform specific functions, with web transactions and permitted contexts varying based on security policies and relevant regulations.
RBAC is most effective when there is an appropriate number of roles to implement access controls effectively, without making the model overly complex and difficult to manage.
Discretionary Access Control (DAC) :-
Discretionary Access Control (DAC) restricts access to resources or functions based on specific users or named user groups. Owners of resources have the ability to assign or delegate access permissions to individual users. This model offers fine-grained control, where access rights are defined at the level of each resource or function and for each user. However, this level of granularity can lead to significant complexity in design and management.
Key features of DAC include:
- Discretionary: Access controls are not automatically enforced by the operating system.
- Controllable: Permissions are managed by the owner or administrator of the object (such as a file or folder).
- Transferable: Owners can transfer control of resources, allowing them to delegate access to others.
Mandatory Access Control (MAC) :-
Mandatory Access Control (MAC) ensures that organizational security policies are enforced without relying on voluntary compliance from web application users. MAC secures information by assigning sensitivity labels to information and comparing these labels to the sensitivity level assigned to users.
MAC is typically suitable for highly secure systems, such as multilevel secure military applications or mission-critical data applications.
Unlike Discretionary Access Control (DAC), in MAC, users and resource owners cannot delegate or modify access rights for their resources.