lsimple
lauthenticated user has full access to system
lauth'd user has roles which each grant full access to a
sub-system, either as a process ('can register new users') or data ('can amend
customer records')
–the role acts effectively as a grouping mechanism
lLattice-Based Access Control (LBAC)
–users (subjects) mapped to objects (resources,
computers, applications)
lRole-Based Access Control (RBAC)
–users have hierarchical roles which have permissions
that grant operations
e.g. user
"fred" has role "sysadmin" which has permission
"security_edit" which grants operations "read" and "write"
on security objects
instead user
"fred" might have role "root" which inherits from role
"sysadmin" those
permissions
lRBAC with Access Control List extension
–users have roles which have permissions with a
precedence that grant operations on matched objects
e.g. user "jo"
has role "editor" which has permission "food_recipes" which grants operations "read", "write",
"delete" to objects "of
type 'document' with file path
matching '/home/recipes/*'“
lenterprise framework, e.g. PERMIS storing permissions
via OpenLDAP and authenticating against Windows ADS BBC SSO or
Shibboleth
lcomplex