Reader, I don’t know what it is. But in the past few months, I have been thinking more about online safety and privacy than before. Maybe it is the news I read or the general state of the world. You would have also noticed it, right? Anyways, back to the subject of today’s letter: Staff or Admin? Most of us know about these two roles in computer applications. If we join a new organization, we may get an orientation on the latest Operations Management Software or Attendance Management System and we’d be marked “staff” in the system. And we accept it as a norm. But there’s more to it, there are four typesThe admin/staff access control we know is called Role-Based Access Control. That’s one of the four major types of access controls. 1. Discretionary Access Control (DAC)You must be using Google Drive, Dropbox etc services. When you want to share the files with someone, you add them to the file. Sometimes when you want to access someone’s files, you ask them to add you. 2. Mandatory Access Control (MAC)In this type of access control, a central authority/policy provides a mandate about who can access what. To protect confidential and sensitive information, this access control is implemented. There are no exceptions. And the users don’t have any real choice. For example, if you’re working in the banking sector, based on your clearance level, you may be privy to confidential information. The central authority/policy would have mandated you to have the privilege to access the confidential information. This also makes it easy to keep people accountable. If there were 500 people out of 50,000 bank employees who were privy to some confidential information, any breach of trust would narrow down to the 500 suspects. Look at this decision diagram of SELinux Security Server. It allows system administrators to implement MAC. 3. Role-Based Access Control (RBAC)All of us are aware of this type of access control. So much so that I have seen people fight to gain an “admin” tag in their system. It helps some people gain social status in the workplace. Because the “admin” role has more power and privilege than the “staff” or other roles. See these Home Screens I created for one of my clients: Sachet Foundation 4. Attribute-Based Access Control (ABAC)This last one is even more interesting and more complex than any of the other access control types. And it works in combination with other access control types. For example, look at this Azure Cloud Server’s access control. IP Address is used as the identifier attribute in this case. So, we have to add the IP Addresses of the users to let them access the resource (in my case, the database). This is on top of the role-based access control. The user would need to have the username and password to logon their app and additionally, have the right IP Address. So, that’s about the four types of access controls. But now you might be wondering: “Which access control type should I choose?”In most of the knowledge work, there is hardly any scenario to make a choice. Because there’s a default set in software systems. But if you’re developing a policy or getting a software developed for your company, consider the following factors:
Have you worked in a highly regulated industry? What are the security measures like? I have never worked in such an industry, so I’m curious how it is. Want to share anything else? Reads of the week:Click to read It is just that the design and planning of the whole integration need to be well-thought-out. |