(1) Vendor supplied system software, external to the operating system, used to specify who has access to a system, who has access to specific resources, and what capabilities are granted to authorized users. (2) Access control software can generally be implemented in different modes that provide varying degrees of protection, such as (i) denying access for which the user is not expressly authorized, (ii) allowing access which is not expressly authorized but providing a warning, or (iii) allowing access to all resources without warning regardless of authority.
A type of access control specification in which a user, program, and data items (a triple) are listed for each allowed operation.
A design principle for security mechanisms based on a user’s fear of detection of violations of security policies rather than absolute prevention of violations.
The hierarchical portion of the security level used to identify data sensitivity and user clearance or authorization. Note: The access level and the non-hierarchical categories form the sensitivity label of an object.
Synonymous with access control list (ACL).
Access logs will capture records of computer events about an operating system, an application system, or user activities. Access logs feed into audit trails.
A two-dimensional array consisting of objects and subjects, where the intersections represent permitted access types.
The technique used for selecting records in a file for processing, retrieval, or storage
A distinct operation recognized by protection mechanisms as possible operations on an object. Read, write, and append are possible modes of access to a file, while whereas “execute” is an additional mode of access to a program.
A password used to authorize access to data and distributed to all those who are authorized similar access to those data. This is a preventive and technical control.
The sequence of hardware and software components significant to access control. Any component capable of enforcing access restrictions, or any component that could be used to bypass an access restriction should be considered part of the access path. The access path can also be defined as the path through which user requests travel, including the telecommunications software, transaction processing software, and applications software.
A segment of time, generally expressed on a daily or weekly basis, during which access rights prevail.
A logical or physical identifier that a computer uses to distinguish different terminal input/output data streams.
Deciding who gets what priority in accessing a system. Access priorities are based on employee job functions and levels rather than data ownership.
Precise statements defining the extent to which an individual can access computer systems and use or modify programs and data on the system. Statements also define under what circumstances this access is allowed.
There are at least two types of access profiles: user profile and standard profile. (1) A user profile is a set of rules describing the nature and extent of access to each resource that is available to each user. (2) A standard profile is a set of rules describing the nature and extent of access to each resource that is available to a group of users with similar job duties, such as accounts payable clerks.
Clear action statements describing expected user behavior in a computer system. Access rules reflect security policies and practices, business rules, information ethics, system functions and features, and individual roles and responsibilities, which collectively form access restrictions. Access rules are often described as user security profiles (access profiles). Access control software implements access rules.
A risk reducing principle that attempts to avoid prolonging access time to specific data or to the system beyond what is needed to carry out requisite functionality.
The nature of an access right to a particular device, program, or file (e.g., read, write, execute, append, modify, delete, or create).
The ability to obtain the use of a computer system or a resource or the ability and means necessary to store data, retrieve data, or communicate with a system.
Involves (1) the process of requesting, establishing, issuing, and closing user accounts, (2) tracking users and their respective access authorizations, and (3) managing these functions.