Used to implement additional access control.
Uses Windows NT account for authentication. Access is granted through the Explorer using MTS roles and Windows NT-based user and group accounts.
Security check is made when a process boundary is crossed.
The principal motivations behind RBAC are the ability to articulate and enforce enterprise-specific security policies and to streamline the typically burdensome process of security management.
| Programmatic Security Used to implement additional access control. |
| Declarative Security Uses Windows NT account for authentication. Access is granted through the Explorer using MTS roles and Windows NT-based user and group accounts. Security check is made when a process boundary is crossed. |
| Role is an abstraction that defines a logical group of users. |
| At development time, roles define declarative authorization and programmatic security logic. |
| At deployment time, you bind these roles to specific groups and users. |
| MTS checks roles for the component if the component is directly called by a client. |
| MTS will not check roles if one component in the package calls another component in the same package. |
Very basis of security of Windows NT native file system (NTFS).
List of Windows NT users or user groups with access permissions for each.
The permissions are usually targeted to the object the ACL protects.
Users who create object usually can manage its ACL.
Applications manage their data using ACL.
| More flexible than mandatory access control (MAC), but is easier to use than plain access control lists | ||
| Least Privilege
| ||
| Role Hierarchy
| ||
| RBAC Framework
| ||
| Distributed Systems
|
David F. Ferraiolo, Janet A. Cugine, and D. Richard Kuhn. Role-Based Access Control (RBAC): Features and Motivations. Computer Security Applications Conference, 1995.
