Attack Surface
An attack surface in permissions management refers to the sum total of all potential vulnerabilities that an unauthorized entity could exploit to gain access to a system or data. ...
Okta is an enterprise-grade, identity management service, built for the cloud, but compatible with many on-premises applications. With Okta, IT can manage any employee’s access to any application or device. Okta runs in the cloud, on a secure, reliable, extensively audited platform, which integrates deeply with on-premises applications, directories, and identity management systems.
Access Control and Authorization Policies
Access control is a critical mechanism for granting or denying individual access requests based on current policies, user authentication, authorizations, request information, and other relevant factors. While the authorization facilities determine the privileges a user possesses at a given time, access control ensures that those privileges are enforced in a secure manner whenever access to specific resources is limited.
To implement effective access control, your application developers embed access control checks throughout their code, aligning with the security requirements of each resource. The most suitable access control strategies vary based on your applications’ specific requirements and designs. You have the flexibility to choose from various models and employ different strategies simultaneously, depending on the context. Here are some options to consider:
1. Attribute-Based Access Control (ABAC) or Policy-Based Access Control (PBAC): Access is granted or denied based on policies that combine multiple attributes of the user and request.
2. Discretionary Access Control (DAC): Access is granted or denied based on a policy set by the resource owner.
3. Dynamic Access Control (DAC): A feature in Windows Server that allows administrators to manage access and auditing for domain-based file servers using Active Directory attributes. The same strategy can be applied in IAM solutions on any platform.
4. Mandatory Access Control (MAC): The operating system or database imposes restrictions on a requestor’s ability to access or modify a file system resource based on criteria defined by resource owners (typically sysadmins). Unix and Linux file permissions exemplify this approach.
5. Role-Based Access Control (RBAC): Access control is based on roles and associated privileges. Users holding a specific role are granted the corresponding privileges. Common examples include administrators and super admins.
6. Rule-Based Access Control (distinct from RBAC and ABAC): Access requests are evaluated against a set of specific rules. Rule-based controls are preventive and often complement other access control types, preventing unauthorized access under certain circumstances.
7. Time-Based Access Control: Access to a resource is restricted to specific times of the day and week. Although commonly associated with network Access Control Lists (ACLs), the general strategy can be applied in IAM solutions across platforms.
By understanding these access control strategies and tailoring them to your application’s needs, you can enhance security and protect sensitive resources effectively.
No FAQs available for this Wiki.
A
B
C
D
F
G
H
I
J
L
M
O
P
R
S
T
V
Z