![]() ![]() ![]() An example might be making the user login with two factors if they are coming in from the internet, and then force the user to answer additional security questions if they are logging in from an atypical source, or from a known hostile geolocation. Risk-based access controls will increase the number of authentication challenges based on risk factors of those attempting to access the system.This demonstrates the combination of roles (HR staff) and rules (logins between such & such hours). For example, everyone in the organization can log in as they please, however HR staff can only log into the HR application between the hours of 5:00 a.m. Attribute-based – where a combination of non discretionary methods are used.Rule-based – where rules are imposed, such as “no logins after 5:00 p.m.”.Permissions within those applications could also be established to ensure separation of duties and least privilege. Accounting staff would only have access to the accounting application, etc. ![]() Role-based – where access is limited to authorized users based on roles, often where permissions are established based on job functions/duties, for example, Human Resources personnel would be the only employees allowed access to the HR application.Mandatory – access decisions are controlled by a central authority.Non Discretionary – anything that’s not discretionary.The owner controls who can access the data, and what they can do with it. Discretionary – refers to leaving total control to the discretion of the owner. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |