Information about Access Control List
In computer security, an access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file XYZ gives Alice permission to delete file XYZ.
In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether or not to proceed with the operation.
Systems that use ACLs can be classified into two categories, discretionary and mandatory. A system is said to have discretionary access control if the creator or owner of an object can fully control access to the object, including, for example, altering the object's ACL to grant access to anyone else. A system is said to have mandatory access control (also known as "non-discretionary access control" in the security literature) if it enforces system-wide restrictions that override the permissions stated in the ACL.
Traditional ACL systems assign permissions to individual users, which can become cumbersome in a system with a large number of users. In a more recent approach called role-based access control, permissions are assigned to roles, and roles are assigned to users.
The list is a data structure, usually a table, containing entries that specify individual user or group rights to specific system objects, such as a program, a process, or a file. These entries are known as access control entries (ACE) in the Microsoft Windows, OpenVMS, Linux and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
The ACL is a concept with several different implementations in various operating systems, although there is a POSIX "standard". (The POSIX security drafts, .1e and .2c, were withdrawn when it became clear their scope was too wide and the work would not complete, but the well-developed parts defining ACLs have been widely implemented and are known as "POSIX ACLs".)
This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.
In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether or not to proceed with the operation.
ACL-based security models
A key issue in the definition of any ACL-based security model is the question of how access control lists are edited. For each object, who can modify the object's ACL, and what changes are allowed?Systems that use ACLs can be classified into two categories, discretionary and mandatory. A system is said to have discretionary access control if the creator or owner of an object can fully control access to the object, including, for example, altering the object's ACL to grant access to anyone else. A system is said to have mandatory access control (also known as "non-discretionary access control" in the security literature) if it enforces system-wide restrictions that override the permissions stated in the ACL.
Traditional ACL systems assign permissions to individual users, which can become cumbersome in a system with a large number of users. In a more recent approach called role-based access control, permissions are assigned to roles, and roles are assigned to users.
File system ACLs
On file systems the process's user identifier (in POSIX, effective UID) is the principal means of control.The list is a data structure, usually a table, containing entries that specify individual user or group rights to specific system objects, such as a program, a process, or a file. These entries are known as access control entries (ACE) in the Microsoft Windows, OpenVMS, Linux and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
The ACL is a concept with several different implementations in various operating systems, although there is a POSIX "standard". (The POSIX security drafts, .1e and .2c, were withdrawn when it became clear their scope was too wide and the work would not complete, but the well-developed parts defining ACLs have been widely implemented and are known as "POSIX ACLs".)
Networking ACLs
In networking, ACL refers to a list of rules detailing service ports or (network) daemon names that are available on a host or other layer 3 device, each with a list of hosts and/or networks permitted to use the service. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.
See also
- Standard Access Control List
- Access control
- Windows SID
- Computer security
- Access Control Matrix
- Capability-based security
- TCP Wrappers
- Token (Windows NT architecture)
- Extended file attributes
External links
- POSIX Access Control Lists on Linux
- RSBAC Access Control Lists on Linux
- Generic Access Control Lists for PHP/Perl
- Information Security Definitions: ACL
- Article "Security Briefs: Access Control List Editing in .NET" by Keith Brown
- MS Windows .NET ACL Technology
- What could have been IEEE 1003.1e/2c
References
Computer security is a branch of information security applied to both theoretical and actual computer systems. Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers.
..... Click the link for more information.
..... Click the link for more information.
In computer security, discretionary access control (DAC) is a kind of access control defined by the Trusted Computer System Evaluation Criteria[1] as "a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
..... Click the link for more information.
..... Click the link for more information.
In computer security, mandatory access control (MAC) refers to a kind of access control defined by the Trusted Computer System Evaluation Criteria[1] as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the
..... Click the link for more information.
..... Click the link for more information.
In computer systems security, role-based access control (RBAC) [1] [2] is an approach to restricting system access to authorized users. It is a newer alternative approach to mandatory access control (MAC) and discretionary access control (DAC).
..... Click the link for more information.
..... Click the link for more information.
file system (often also written as filesystem) is a method for storing and organizing computer files and the data they contain to make it easy to find and access them.
..... Click the link for more information.
..... Click the link for more information.
In computing, a process is an instance of a computer program that is being sequentially executed.[1] While a program itself is just a passive collection of instructions, a process is the actual execution of those instructions.
..... Click the link for more information.
..... Click the link for more information.
User in a computing context refers to one who uses a computer system. Users may need to identify themselves for the purposes of accounting, security, logging and resource management.
..... Click the link for more information.
..... Click the link for more information.
POSIX (IPA: /ˈpɒsɪks/) or "Portable Operating System Interface" [1] is the collective name of a family of related standards specified by the IEEE to define the application programming interface (API) for
..... Click the link for more information.
..... Click the link for more information.
On Unix-like systems, users are represented by a user identifier, often abbreviated UID. The range of values for a UID varies amongst different systems; at the very least, a UID can be between 0 and 32767, with some restrictions:
..... Click the link for more information.
..... Click the link for more information.
Microsoft Windows
Screenshot of Windows Vista Ultimate, the latest version of Microsoft Windows.
Company/developer: Microsoft Corporation
OS family: MS-DOS/9x-based, Windows CE, Windows NT
Source model: Closed source
..... Click the link for more information.
Screenshot of Windows Vista Ultimate, the latest version of Microsoft Windows.
Company/developer: Microsoft Corporation
OS family: MS-DOS/9x-based, Windows CE, Windows NT
Source model: Closed source
..... Click the link for more information.
OpenVMS[1] (Open Virtual Memory System or just VMS) is the name of a high-end computer server operating system that runs on the VAX[2] and Alpha[3]
..... Click the link for more information.
..... Click the link for more information.
Linux (pronunciation: IPA: /ˈlɪnʊks/, lin-uks) is a Unix-like computer operating system. Linux is one of the most prominent examples of free software and open source development; its underlying source code can be
..... Click the link for more information.
..... Click the link for more information.
Mac OS X (IPA: /mæk.oʊ.ɛs.tɛn/) is a line of graphical operating systems developed, marketed, and sold by Apple Inc., the latest of which is pre-loaded on all currently shipping Macintosh computers.
..... Click the link for more information.
..... Click the link for more information.
An operating system (OS) is the software that manages the sharing of the resources of a computer. An operating system processes system data and user input, and responds by allocating and managing tasks and internal system resources as a service to users and programs of the
..... Click the link for more information.
..... Click the link for more information.
as a college campus, industrial complex, or a military base. A CAN, may be considered a type of MAN (metropolitan area network), but is generally limited to an area that is smaller than a typical MAN.
..... Click the link for more information.
..... Click the link for more information.
TCP and UDP are transport protocols used for communication between computers. The IANA is responsible for assigning port numbers to specific uses.
..... Click the link for more information.
Ranges
The port numbers are divided into three ranges.- The Well Known Ports are those in the range 0–1023.
..... Click the link for more information.
software port (usually just called a 'port') is a virtual data connection that can be used by programs to exchange data directly, instead of going through a file or other temporary storage location.
..... Click the link for more information.
..... Click the link for more information.
daemon (IPA pronunciation: /'dimən/ or /'deɪmən/[1]
..... Click the link for more information.
..... Click the link for more information.
Server Computer
The inside/front of a server computer
Connects to:
..... Click the link for more information.
The inside/front of a server computer
Connects to:
- Internet via one of
..... Click the link for more information.
network layer is the third layer out of seven in OSI model and the third layer out of five in TCP/IP model. In the TCP/IP reference model it is called the Internet layer.
..... Click the link for more information.
..... Click the link for more information.
Server Computer
The inside/front of a server computer
Connects to:
..... Click the link for more information.
The inside/front of a server computer
Connects to:
- Internet via one of
..... Click the link for more information.
router is a device that extracts the destination of a packet it receives, selects the best path to that destination, and forwards data packets to the next device along this path.[1] They connect networks together; a LAN to a WAN for example, to access the Internet.
..... Click the link for more information.
..... Click the link for more information.
firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust.
..... Click the link for more information.
Function
..... Click the link for more information.
GNU Free Documentation License (GNU FDL or simply GFDL) is a copyleft license for free documentation, designed by the Free Software Foundation (FSF) for the GNU project.
..... Click the link for more information.
..... Click the link for more information.
Standard Access Control Lists (ACL) are Cisco IOS-based commands used to filter packets on Cisco routers based on the source IP Address of the packet. Extended Access Control Lists have the ability to filter packets based on source and destination
..... Click the link for more information.
..... Click the link for more information.
access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Physical access control can be achieved by a human (a guard, bouncer, or receptionist), through mechanical means such as locks and keys, or through
..... Click the link for more information.
..... Click the link for more information.
Security Identifier (commonly abbreviated SID) is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify an object, such as a user or a group of users in a network of NT/2000
..... Click the link for more information.
..... Click the link for more information.
Computer security is a branch of information security applied to both theoretical and actual computer systems. Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers.
..... Click the link for more information.
..... Click the link for more information.
Access Control Matrix or Access Matrix is an abstract, formal computer protection[] and security model used in computer systems, that characterizes the rights of each subject with respect to every object in the system. It was first introduced by Butler W.
..... Click the link for more information.
..... Click the link for more information.
Capability-based security is a concept in the design of secure computing systems. A capability (known in some systems as a key) is a communicable, unforgeable token of authority.
..... Click the link for more information.
..... Click the link for more information.
This article is copied from an article on Wikipedia.org - the free encyclopedia created and edited by online user community. The text was not checked or edited by anyone on our staff. Although the vast majority of the wikipedia encyclopedia articles provide accurate and timely information please do not assume the accuracy of any particular article. This article is distributed under the terms of GNU Free Documentation License.
Herod_Archelaus
