|
HP OpenVMS SystemsSEVMS |
|
|
For use with all external Digital World-Wide Web Servers
Discretionary & Mandatory Access ControlsDiscretionary Access Controls Discretionary access controls restrict access to objects (files, devices, directories, etc.) based upon the identity of the user. The control is "discretionary" in that a user with certain access rights (such as ownership of the object) can grant or rescind the access rights of another user to that object. Mandatory Access Controls Unlike discretionary access controls, mandatory access controls impose access restrictions in the form of security attributes which cannot be changed or bypassed by non-privileged users. MAC security attributes are set by the security administrator and are enforced by the operating system -- they cannot be changed at the discretion of non-privileged users. Thus the term "mandatory" access controls. The most common MAC models implement a set of hierarchical security levels and non-hierarchical security compartments. Each item of information is classified by level (i.e. Unclassified, Confidential, Secret, Top Secret, etc.) and one or more compartments (i.e. Project A, Project B, Project C, etc.). Each individual is assigned a clearance from the same set of classifications. The operating system then controls access to objects based upon these classifications. Mandatory access control rules are straightforward and simple. Stated informally, a non-privileged user is only allowed to:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
