Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)
      9  5.5  Privilege Management

Previous Topic/Section
5.5.4  Auditing
Previous Page
Pages in Current Topic/Section
1
2
Next Page
5.6  Computer Forensics
Next Topic/Section

5.5.5  MAC/DAC/RBAC
(Page 1 of 2)

As with Auditing, this section revisits a topic we covered in greater detail, earlier in this book. We will briefly revisit it now.

Role Based Access Control (RBAC)

The National Institute of Standards and Technology (NIST) states:

“With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, and manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.

Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies”.

The NIST has a draft standard with a 51 page PDF that is available to study446.

RBAC is policy-oriented, yet policy neutral. (It doesn’t dictate policies you must apply.)

Examples of RBAC can be found in Microsoft's Active Directory and Novels Directory Services.

Highlights of RBAC include:

  • Least Privilege

  • Separation of Duties

  • Abstract Permissions

  • Separation of Administration and Access

 __________________

446. http://csrc.nist.gov/rbac/rbacSTD-ACM.pdf

Previous Topic/Section
5.5.4  Auditing
Previous Page
Pages in Current Topic/Section
1
2
Next Page
5.6  Computer Forensics
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.