Metric connection: Difference between revisions
en>Qetuth m more specific stub type |
en>Addbot |
||
Line 1: | Line 1: | ||
In [[computer science]], an '''Access Control Matrix''' or '''Access Matrix''' is an abstract, formal [[Computer security model|security model]] of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system. It was first introduced by [[Butler W. Lampson]] in 1971.<ref> | |||
{{ cite conference | |||
| first = Butler W. | |||
| last = Lampson | |||
| title = Protection | |||
| booktitle = Proceedings of the 5th Princeton Conference on Information Sciences and Systems | |||
| year = 1971 | |||
| pages = 437 }} | |||
</ref> | |||
An access matrix can be envisioned as a rectangular array of cells, with one row per subject and one column per object. The entry in a cell - that is, the entry for a particular subject-object pair - indicates the access mode that the subject is permitted to exercise on the object. Each column is equivalent to an [[access control list]] for the object; and each row is equivalent to an ''access profile'' for the subject.<ref>RFC 4949</ref> | |||
==Definition== | |||
According to the model, the protection state of a computer system can be abstracted as a set of objects <math>O</math>, that is the set of entities that needs to be protected (e.g. processes, files, memory pages) and a set of subjects <math>S</math>, that consists of all active entities (e.g. users, processes). Further there exists a set of rights <math>R</math> of the form <math>r(s,o)</math>, where <math>s \in S</math>, <math>o \in O</math> and <math>r(s,o) \subseteq R</math>. A right thereby specifies the kind of access a subject is allowed to process object. | |||
==Example== | |||
In this matrix example there exists two processes, a file and a device. The first process has the ability to execute the second, read the file and write some information to the device, while the second process can only send information to the first. | |||
<center> | |||
{| border=1 cellspacing=0 cellpadding=5 | |||
| | |||
| Asset 1 | |||
| Asset 2 | |||
| file | |||
| device | |||
|- | |||
| Role 1 | |||
| read, write, execute, own | |||
| execute | |||
| read | |||
| write | |||
|- | |||
| Role 2 | |||
| read | |||
| read, write, execute, own | |||
| | |||
| | |||
|} | |||
</center> | |||
==Utility== | |||
Because it does not define the granularity of protection mechanisms, the Access Control Matrix can be used as a model of the static access permissions in any type of [[access control]] system. It does not model the rules by which permissions can change in any particular system, and therefore only gives an incomplete description of the system's access control [[security policy]]. | |||
An Access Control Matrix should be thought of only as an abstract model of permissions at a given point in time; a literal implementation of it as a two-dimensional array would have excessive memory requirements. [[Capability-based security]] and [[access control list]]s are categories of concrete access control mechanisms whose static permissions can be modeled using Access Control Matrices. Although these two mechanisms have sometimes been presented (for example in Butler Lampson's [http://portal.acm.org/citation.cfm?id=775268 ''Protection''] paper) as simply row-based and column-based ''implementations'' of the Access Control Matrix, this view has been criticized as drawing a misleading equivalence between systems that does not take into account dynamic behaviour. | |||
<ref>{{ cite paper | |||
| author = Mark S. Miller, Ka-Ping Yee, Jonathan Shapiro. | |||
| title = Capability Myths Demolished. | |||
| date = March 2003 | |||
| url = http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf | |||
| format = [[PDF]] | |||
| version = Technical Report SRL2003-02 | |||
| publisher = Systems Research Laboratory, Department of Computer Science, | |||
Johns Hopkins University }}</ref> | |||
==See also== | |||
* [[Capability-based security]] | |||
* [[Access control list]] (ACL) | |||
* [[Computer security policy]] | |||
* [[Computer security model]] | |||
==References== | |||
<references /> | |||
* {{cite book | |||
| last = Bishop | first = Matt | |||
| title = Computer security: art and science | |||
| publisher = Addison-Wesley | |||
| year = 2004 | |||
| isbn = 0-201-44099-7 | |||
}} | |||
[[Category:Computer security models]] | |||
[[Category:Computer access control]] |
Revision as of 12:57, 15 March 2013
In computer science, an Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system. It was first introduced by Butler W. Lampson in 1971.[1]
An access matrix can be envisioned as a rectangular array of cells, with one row per subject and one column per object. The entry in a cell - that is, the entry for a particular subject-object pair - indicates the access mode that the subject is permitted to exercise on the object. Each column is equivalent to an access control list for the object; and each row is equivalent to an access profile for the subject.[2]
Definition
According to the model, the protection state of a computer system can be abstracted as a set of objects , that is the set of entities that needs to be protected (e.g. processes, files, memory pages) and a set of subjects , that consists of all active entities (e.g. users, processes). Further there exists a set of rights of the form , where , and . A right thereby specifies the kind of access a subject is allowed to process object.
Example
In this matrix example there exists two processes, a file and a device. The first process has the ability to execute the second, read the file and write some information to the device, while the second process can only send information to the first.
Asset 1 | Asset 2 | file | device | |
Role 1 | read, write, execute, own | execute | read | write |
Role 2 | read | read, write, execute, own |
Utility
Because it does not define the granularity of protection mechanisms, the Access Control Matrix can be used as a model of the static access permissions in any type of access control system. It does not model the rules by which permissions can change in any particular system, and therefore only gives an incomplete description of the system's access control security policy.
An Access Control Matrix should be thought of only as an abstract model of permissions at a given point in time; a literal implementation of it as a two-dimensional array would have excessive memory requirements. Capability-based security and access control lists are categories of concrete access control mechanisms whose static permissions can be modeled using Access Control Matrices. Although these two mechanisms have sometimes been presented (for example in Butler Lampson's Protection paper) as simply row-based and column-based implementations of the Access Control Matrix, this view has been criticized as drawing a misleading equivalence between systems that does not take into account dynamic behaviour. [3]
See also
- Capability-based security
- Access control list (ACL)
- Computer security policy
- Computer security model
References
- ↑
55 years old Systems Administrator Antony from Clarence Creek, really loves learning, PC Software and aerobics. Likes to travel and was inspired after making a journey to Historic Ensemble of the Potala Palace.
You can view that web-site... ccleaner free download - ↑ RFC 4949
- ↑ Template:Cite paper
- 20 year-old Real Estate Agent Rusty from Saint-Paul, has hobbies and interests which includes monopoly, property developers in singapore and poker. Will soon undertake a contiki trip that may include going to the Lower Valley of the Omo.
My blog: http://www.primaboinca.com/view_profile.php?userid=5889534