1. Technical Field
The present invention generally relates to dynamic objects and in particular to techniques for domain-based isolation and access control on dynamic objects.
2. Description of the Related Art
In computer system security, mandatory access control (MAC) refers to a type of access control in which an operating system (OS) constrains the ability of a subject (or initiator) to access or generally perform some operation on an object (or target). MAC is a system-enforced approach for restricting access to objects based on a sensitivity of an object and a clearance of a user. In practice, a subject is usually a process or thread and an object is usually a construct, e.g., a file, a file system, a volume group, a network port, or a network interface. In a usual case, subjects and objects each have a set of security attributes. In this manner, when a subject attempts to access an object, an authorization rule set enforced by an OS kernel examines the security attributes and decides whether the access can take place. Under MAC, any operation by any subject on any object is tested against an authorization rule set (or security policy) to determine if the operation is allowed. Historically, MAC has been closely associated with multi-level secure (MLS) systems.
MAC enabled systems allow policy administrators to implement organization-wide security policies. For MAC, an access control decision is contingent on verifying compatibility of data security properties and individual clearance properties (or process clearance properties for a process that functions as a proxy for an individual). The access control decision depends on the integrity of the metadata that defines the security properties of the data, as well as the security clearance of the individual or process requesting access to the data. For example, if a security label can be changed by a user, then the user can corrupt the access controls. In general, security mechanisms that protect metadata and access control decision logic from corruption are MAC critical objects that require robustness.
In computer system security, discretionary access control (DAC) typically means restricting access to objects based on an identity of subjects and/or groups to which the objects belong. DAC controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (e.g., indirectly) on to another subject (unless restrained by a MAC). Systems may implement both MAC and DAC simultaneously. In this case, DAC refers to a first category of access controls that subjects can transfer among each other and MAC refers to a second category of access controls that imposes constraints upon the first category of access controls. The traditional UNIX operating system of users, groups, and read-write-execute permissions is an example of DAC.
In computer system security, role-based access control (RBAC) is another approach that may be employed to restrict system access to authorized users for administrative functions and tasks. Within an organization, roles are created for various job functions and permissions to perform certain operations are assigned to specific roles. System users are assigned particular roles and through role assignments acquire permissions to perform particular system functions. Since users are not assigned permissions directly, but only acquire the permissions through their assigned role (or roles), management of individual user rights becomes a matter of assigning appropriate roles to users. In general, the implementation of RBAC simplifies common system operations, e.g., adding a user to a system or changing a department of an existing system user.
A typical RBAC implementation employs role assignments, role authorizations, and transaction authorizations. Role assignments dictate that a subject can execute a transaction only if the subject has been assigned a role that permits execution of the transaction. Role authorization dictates that an active role for a subject must be authorized for the subject. Role authorization ensures that users can only take on roles for which they are authorized. Transaction authorization dictates a subject can execute a transaction only if the transaction is authorized for the active role of the subject. In general, roles can be combined in a hierarchy where higher level roles subsume permissions owned by sub-roles.
RBAC differs from an access control list (ACL) used in traditional DAC systems in that RBAC assigns permissions to specific operations with meaning in an organization, as contrasted with assigning permissions to low level data objects. For example, an ACL could be used to grant or deny write access to a particular system file, but the ACL would not dictate how the system file could be changed. In an RBAC system, the assignment of a permission to perform a particular operation is meaningful, as operations are granular with meaning within an application. RBAC has been shown to be particularly well suited to separation of duties (SoD) requirements, which ensure that two or more people are involved in authorizing critical operations.