In this post I want to summarize in a nutshell the terminologies which exist for controlling permissions on securable objects in operating systems .

This topic is well documented from Microsoft and on Wikipedia.

First there is an access control entry (ACE) which is an element in an access control list (ACL). An ACL can have zero or more ACEs.

Each ACE controls or monitors access to an object.


  • Monitor access to securable objects can be done through a system access control list (SACL) which enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.
  • Control access to securable objects can be done through a discretionary access control list (DACL) which identifies the users and groups that are allowed or denied access to the securable object. When a process tries to access a securable object, the system checks the ACEs in the object’s DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object’s DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied.


ACLs also provide access control to Microsoft Active Directory directory service objects. Active Directory Service Interfaces (ADSI) include routines to create and modify the contents of these ACLs. For more information, see Controlling Access to Active Directory Objects.


Source: https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists


In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control (DAC).

Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC such as role-permissions, user-role and role-role relationships make it simple to perform user assignments. RBAC can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions. Although RBAC is different from MAC and DAC access control frameworks, it can enforce these policies without any complication.

Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions needed to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user’s account; this simplifies common operations, such as adding a user, or changing a user’s department.

Source: https://en.wikipedia.org/wiki/Role-based_access_control



Mandatory access control is a method of limiting access to resources based on the sensitivity of the information that the resource contains and the authorization of the user to access information with that level of sensitivity.

You define the sensitivity of the resource by means of a security label. The security label is composed of a security level and zero or more security categories. The security level indicates a level or hierarchical classification of the information (for example, Restricted, Confidential, or Internal). The security category defines the category or group to which the information belongs (such as Project A or Project B). Users can access only the information in a resource to which their security labels entitle them. If the user’s security label does not have enough authority, the user cannot access the information in the resource.

Source: https://www.ibm.com/docs/en/zos/2.2.0?topic=environment-mandatory-access-control-mac



Links

Access Control Lists
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists

Access Control Entries
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-entries

Security Descriptors
https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptors

Securable Objects
https://docs.microsoft.com/en-us/windows/win32/secauthz/securable-objects

discretionary access control (DAC)
https://en.wikipedia.org/wiki/Discretionary_access_control

access-control list (ACL)
https://en.wikipedia.org/wiki/Access-control_list

role-based access control (RBAC)
https://en.wikipedia.org/wiki/Role-based_access_control

mandatory access control (MAC
https://en.wikipedia.org/wiki/Mandatory_access_control
https://www.heise.de/ix/artikel/Gut-bewacht-506652.html
https://www.ibm.com/docs/en/zos/2.2.0?topic=environment-mandatory-access-control-mac