In
computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
, organization-based access control (OrBAC) is an
access control
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
model first presented in 2003. The current approaches of the
access control
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
rest on the three entities (''subject'', ''action'', ''object'') to control the access the policy specifies that some subject has the permission to realize some action on some object.
OrBAC allows the policy designer to define a security policy independently of the implementation. The chosen method to fulfill this goal is the introduction of an abstract level.
* Subjects are abstracted into roles. A role is a set of subjects to which the same security rule apply.
* Similarly, an activity is a set of actions to which the same security rule apply.
* And, a view is a set of objects to which the same security rule apply.
Each security policy is defined for and by an organization. Thus, the specification of the security policy is completely parameterized by the organization so that it is possible to handle simultaneously several security policies associated with different organizations. The model is not restricted to permissions, but also includes the possibility to specify prohibitions and obligations. From the three abstract entities (''roles, activities, views''), abstract privileges are defined. And from these abstract privileges, concrete privileges are derived.
OrBAC is context sensitive, so the policy could be expressed dynamically. Furthermore, OrBAC owns concepts of hierarchy (''organization'', ''role'', ''activity'', ''view'', ''context'') and separation constraints.
See also
{{columns-list, colwidth=30em,
*
Access control list
In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on gi ...
*
Attribute-Based Access Control Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the ...
(ABAC)
*
Context-based access control
Context-based access control (CBAC) is a feature of firewall software, which intelligently filters TCP and UDP packets based on application layer protocol session information. It can be used for intranets, extranets and internets.
CBAC can b ...
(CBAC)
*
Discretionary access control
In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to ...
(DAC)
*
Graph-based access control (GBAC)
*
Lattice-based access control (LBAC)
*
Mandatory access control
In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on a ...
(MAC)
*
Role-based access control
In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control ...
(RBAC)
*
Rule-set-based access control (RSBAC)
*
Capability-based security
Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that refer ...
*
Location-based authentication
Location-based authentication is a special procedure to prove an individual's identity on appearance simply by detecting its presence at a distinct location.
To enable location-based authentication, a special combination of objects is required.
...
*
Risk-based authentication
In Authentication, risk-based authentication is a non-static authentication system which takes into account the profile (IP address, User-Agent HTTP header, time of access, and so on) of the agent requesting access to the system to determine the ri ...
*
Bell–LaPadula model The Bell–LaPadula Model (BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Sch ...
External links
OrBAC siteMotOrBAC site (OrBAC simulation and conflict detection tool)
Computer access control
Access control