2.3.8 Access Control Mechanisms
Figure 23. Access Control Mechanisms
Key Points
Access control services are implemented by access control lists and/or security
Presentation Script
Access Control Lists:
Access control lists (ACLs) are a form of information
repository that contain data relative to the rights of access (permissions) to
shared resources/objects granted to authenticated users of the system. The
access rights might take the form of authorized resources, authorized actions
with respect to a particular resource (read, write, update, execute), or privileges
to be permitted throughout the system environment. Access control lists are
categorized as discretionary access control (DAC) mechanisms.
Access control lists may be distributed, as in the case of a global directory of
network resources, or they may be localized, as in the case of controlling access
to resources owned by a particular resource manager. Management of the
ACLs may be done by a single centralized authority using remote management
interfaces, or it may be done locally by an individual resource manager using
internal management interfaces.
46 Security P-Guide
Security Labels:
Security labeling provides a mechanism to enhance or refine
the levels of control imposed on a resource or entity. For example, the label
could specify sensitivity information (classification), or could provide additional
constraints on resource access based on the role of the user, the function being
performed, department, or categories in a manner similar to group controls.
Security labels are also called mandatory access control (MAC) mechanisms.
s Model for An Access Control Resource Manager (ACRM):
The DCE model
for an ACRM is considerably different from the model which has generally, but
not always, been implemented on IBMs strategic platforms. In DCE, each
application server that manages resources is responsible for its own
implementation of an ACRM. This is in contrast, for example, with MVS where
RACF or other vendor products have provided the equivalent of ACL
management and access control checking functions in a single product that can
be used by many different application servers. Products such as RACF also
supply an implementation of an auditing mechanism integrated with the access
control checking facilities.
The DCE code provided by OSF contains a “reference implementation” for an
ACRM that server writers can use as a model to implement their own ACRMs.
The model addresses the management of ACL objects both locally and remotely
and specifies the algorithms for checking access control. The four basic parts of
the reference implementation are described below.
sec_acl APIs
The set of callable APIs prefixed with
are intended for use by
clients. These interfaces are used by the OSF-supplied ACL editor to
implement its command-line and interactive user interface modes for editing
ACLs. All of the DCE components that have implemented their own ACL
manager “export” a connection to this interface, and the
API calls
are the interfaces used to invoke the servers ACL manager. The
calls invoke the security client
stub code (described below) shipped by
OSF in a library called
calls are used for:
Binding (getting addressability) to an objects ACL
Listing the access permissions which a caller has for an object
Testing an objects ACL for permissions matching those of the caller
Obtaining returned error information
Listing the manager types for the ACLs protecting an object
Returning ACL information in printable form
Teturning an objects ACL
In a typical scenario, the
application will use the above routines to
get a handle and the management type of an ACL, then load the ACL into
temporary storage. It would then manipulate entries and fields within entries
or sometimes rebuild the whole ACL using
subcommands. The
application will then replace the revised ACL and release the temporary
The ACL editor supports a command line mode and an interactive mode of
operation which prompts the user for input parameters. The ACL editor
works at three levels: the entire ACL, individual ACL entries, or permission
bits within an entry. When dealing with the entire ACL, it can list its contents,
list the available permission tokens, remove or replace all entries, and
assign the modified ACL to its object. At the ACL entry level, it can add or
Chapter 2. IBM Security Strategy and Architecture 47

Get Enterprise-Wide Security Architecture and Solutions Presentation Guide now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.