Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


May 12, 2003

Role-Based Access Control

Authorization Manager brings role-based access control to Windows
A Web Exclusive from Windows IT Pro
Jan De Clercq
Features
InstantDoc #38775
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join |
See More Active Directory (AD) Articles Here | Reprints | Or sign up for our VIP Monthly Pass!

If you've played around with Windows Server 2003, you've probably encountered the new Active Directory (AD) Microsoft Management Console (MMC) Authorization Manager snap-in that Microsoft introduced in Release Candidate 1 (RC1). Authorization Manager is Microsoft's effort to introduce a role-based access control (RBAC) model for applications that run on the Windows platform. David Ferraiolo and Richard Kuhn of the National Institute of Standards and Technology (NIST) first introduced the concept of RBAC in 1992 in the paper "Role-Based Access Controls," which you can download from http://hissa.ncsl.nist.gov/rbac/paper/rbac1.html. After I explain the main concepts of the RBAC model and how it differs from other access control models, I detail how Microsoft has used Authorization Manager to implement the RBAC model.

The RBAC Model
Before 1992, most platforms and applications supported either a mandatory access control (MAC) model or a discretionary access control (DAC) model. The two models are specified in the Trusted Computer Security Evaluation Criteria (TCSEC) that the US Department of Defense (DoD) published in 1985. Of the two, the DAC model is more common—and used in many commercial OSs, including Windows 2000 Server and Windows NT.

In the DAC model, managing access privileges to resources is left to the discretion of individual users. This decentralized approach lets users grant or revoke access to any object under their direct control (i.e, objects or resources the user owns) without systems administrator intercession.

The MAC model is a highly centralized access control approach in which a central authority grants or denies user access to resources. The central authority gives individuals a clearance level and labels resources with an access level for the different clearance levels. Environments in which the primary concern is to prohibit unauthorized information flow from a higher level in the organization to a lower level (e.g., military organizations) often use this type of centralized access control. Because Microsoft hasn't yet provided any Commercial Off-the-Shelf (COTS) support for the MAC model, I limit my discussion to comparing the RBAC model with the DAC model. Table 1, page 2, summarizes the differences between the DAC and RBAC models.

The key component of the RBAC model is a user's organizational role, which defines his or her duties, responsibilities, and qualifications. In contrast, the DAC model is object- and resource-centric. From an administrative point of view, managing access control directly in a role-based fashion is more natural; translating the organizational model (based on users' roles) into the object-centric model (based on access rights to resources), as an administrator does in the DAC model, is more difficult.

The RBAC model is a special type of access control group that links to a set of tasks that a user or a set of users can perform in the context of a particular organization. However, a role is also fundamentally different from a group. Groups, as we know them from the DAC model, facilitate access control management at the resource level by letting you define and maintain access control for groups rather than for individual users. A role, on the contrary, implies a set of resource access permissions that are based on role definitions (i.e., role-to-task and role-to-operation mappings stored in the RBAC access control policy database). To determine the tasks or operations that a user has permission to perform, you need know only the user's role; you don't need to query the access permissions of the different resources at the time of access, as you do in the DAC model.

Access control validation and enforcement is another area in which the RBAC model differs from the DAC model. In the RBAC model, role-enabled applications query the RBAC policy database or the associated access control authority to determine whether a user has permission to perform a particular action. The DAC model's decentralized access control enforcement and validation occurs at the DAC-enabled application or resource level. In NT, for example, a local machine entity known as the security reference monitor (SRM) compares the content of a user's access token with a resource's ACL entries to determine whether a user has access.

   Previous  [1]  2  3  4  Next 


Top Viewed ArticlesView all articles
CES 2009: Ballmer Announces Windows 7, Windows Live, Live Search Milestones

During his first-ever Consumer Electronics Show (CES) 2009 keynote address last night in Las Vegas, Microsoft CEO Steve Ballmer announced the pending public availability of a feature-complete Windows 7, the final version of Windows Live Essentials, and ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Where is Microsoft NetMeeting in Windows XP?

...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta

Addressing the Insider Threat with NetIQ Security and Administration Solutions
Related Events Security Summit

How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Concrete Ways to Make Sure Your SharePoint Deployment Doesn't Blow Up

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Download Data Protection Manager 2007
Disaster recovery at a low cost

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Microsoft Learning Snack - Green IT Through Virtualization
Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Microsoft Learning Snack - Virtualization With Windows Server 2008
Windows Server 2008 includes virtualization technology that allows many operating systems - including open source - to run on a single host. Come learn the basics of implementing these features.

Microsoft Learning Snack - Virtualization Basics
With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.


Microsoft Learning Snack - Virtualization Basics
With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.

Microsoft Learning Snack - Virtualization With Windows Server 2008
Windows Server 2008 includes virtualization technology that allows many operating systems - including open source - to run on a single host. Come learn the basics of implementing these features.

Empower Your Processes with PowerShell 201
Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

Microsoft Learning Snack - Green IT Through Virtualization
Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.

New Release: Windows IT Pro Master CD
13 years of content archives, fast answers with advanced search tools, and full access to WindowsITPro.com—order today!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2009 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing