Question

A small financial firm is currently using ACL (Access Control List), a discretionary access control mechanism, for the protection of its resources (including computer systems and data files). As the firm is small, its resources are located in the same building and managed in the same domain. However, recently this firm is planning a merger with another firm, and if this merger is successful, its IT system will be transformed into a large-scale distributed system where resources will be managed in multiple domains. You have been asked to do a review of its access control strategy and to assess if ACL would still be adequate for the new IT system. Answer the following questions. 4. Contrast the two access control mechanisms, Capability and Role Based Access Control (RBAC), in terms of their respective working mechanisms (i.e. how access control is governed), strengths and limitations a. Contrast the two access control mechanisms, ACL and Capability, in terms of (i) ease of making an authorisation decision during execution; (ii) ease of adding access for a new subject; (iii) ease of deleting access by a subject; and (iv) ease of creating a new object to which all subjects by default have access to. Justify your answers to the questions. b. c. One of the suggestions for the new IT system is to apply mandatory access control to the system. Outline two main differences of mandatory access control from discretionary access control, and one main advantage of mandatory access control over discretionary access control

Answer 1

Solution 4. a)

Role bases access control is a mechanism which restricts the user to access the system as per role within an enterprise.

Suppose for a data warehousing system not all users can create the warehouses or large scale databases . Some have the access of only fetching the records or data while some have the access to manipulate the data and update the data as per requirement.

So basically role based access control provide the employees to use only those information which is related to them not the all infrastructure or information.

Hence the all employees can't access the sensitive data which belongs to the upper management or to the customer but in future if any employee starts working on that information then manager can grant access to that information which ultimately reduce the risk .

The role based access depends on various key terms such as responsibility , authorization , employees level etc.

Organisation can defined that which user is a specialist , admin or an end user by assigning the role accordingly.

So , the role based access can limit the specific tasks such as view , update , retrieve information or files .

Nowadays limiting the network access becomes important for the organisation which have huge number of employees.Even some of them are on third party , some are clients or vendors. In such scenario providing access becomes a difficult thing. So the company now depends on the Role based access so the smoothness in the work as well as data sensitive will be remain safe.