Access Control | OWASP Foundation (2024)

Overview

Access Control, also known as Authorization — is mediating access toresources on the basis of identity and is generally policy-driven(although the policy may be implicit). It is the primary securityservice that concerns most software, with most of the other securityservices supporting it. For example, access control decisions aregenerally enforced on the basis of a user-specific policy, andauthentication is the way to establish the user in question. Similarly,confidentiality is really a manifestation of access control,specifically the ability to read data. Since, in computer security,confidentiality is often synonymous with encryption, it becomes atechnique for enforcing an access-control policy.

Policies that are to be enforced by an access-control mechanismgenerally operate on sets of resources; the policy may differ forindividual actions that may be performed on those resources(capabilities). For example, common capabilities for a file on a filesystem are: read, write, execute, create, and delete. However, there areother operations that could be considered “meta-operations” that areoften overlooked — particularly reading and writing file attributes,setting file ownership, and establishing access control policy to any ofthese operations.

Often, resources are overlooked when implementing access controlsystems. For example, buffer overflows are a failure in enforcingwrite-access on specific areas of memory. Often, a buffer overflowexploit also accesses the CPU in a manner that is implicitlyunauthorized as well.

Definition

Access control and Authorization mean the same thing. Access controlgoverns decisions and processes of determining, documenting and managingthe subjects (users, devices or processes) that should be granted accessand the objects to which they should be granted access; essentially,what is allowed. Access controls also govern the methods and conditionsof enforcement by which subjects (users, devices or processes) areallowed to or restricted from connecting with, viewing, consuming,entering into or making use of identified information resources(objects).

Principle of Least Privilege

In security, the Principle of Least Privilege encourages systemdesigners and implementers to allow running code only the permissionsneeded to complete the required tasks and no more. When designing webapplications, the capabilities attached to running code should belimited in this manner. This spans the configuration of the web andapplication servers through the business capabilities of business logiccomponents.

See Also
Access Control Systems & SolutionsControl programming software strategies for industrial systems | Control EngineeringLearn About Access Controls With Online Courses and ProgramsBest access control systems of 2024

Far too often, web and application servers run at too great a permissionlevel. They execute using privileged accounts such as root in UNIXenvironment or LOCALSYSTEM in Windows environments. When web andapplication servers run as root or LOCALSYSTEM, the processes and thecode on top of these processes run with all of the rights of theseusers. Malicious code will execute with the authority of the privilegedaccount, thus increasing the possible damage from an exploit. Web andapplication servers should be executed under accounts with minimalpermissions.

The database accounts used by web applications often have privilegesbeyond those actually required or advisable. Allowing web applicationsto use sa or other privileged database accounts destroys the databaseserver’s ability to defend against access to or modification ofunauthorized resources. Accounts with db_owner equivalent privilegessuch as schema modification or unlimited data access typically have farmore access to the database than is required to implement applicationfunctionality. Web applications should use one or more lesser-privilegedaccounts that are prevented from making schema changes or sweepingchanges to or requests for data.

The J2EE and .NET platforms provide developers the ability to limit thecapabilities of code running inside of their virtual machines. Often webapplications run in environments with AllPermission (Java) or FullTrust(.NET) turned on. This limits the ability of the virtual machine tocontrol the actions of code running under its control. Implementing codeaccess security measures is not only useful for mitigating risk whenrunning untrusted code – it can also be used to limit the damage causedby compromises to otherwise trusted code.

Finally, the business logic of web applications must be written withauthorization controls in mind. Once a user has authenticated to therunning system, their access to resources should be limited based ontheir identity and roles. In addition, users’ attempts to performactions should also be authorized. Both the J2EE and ASP.NET webapplication platforms provide the ability to declaratively limit auser’s access to web resources by their identity and roles (asconfigured in web.xml and web.config respectively). The J2EE platformprovides controls down to the method-level for limiting user access tothe capabilities of EJB components. By designing file resource layoutsand components APIs with authorization in mind, these powerfulcapabilities of the J2EE and .NET platforms can be used to enhancesecurity.

Centralized Authorization Routines

A common mistake is to perform an authorization check by cutting andpasting an authorization code snippet into every page containingsensitive information. Worse yet would be re-writing this code for everypage. Well written applications centralize access control routines, soif any bugs are found, they can be fixed once and the results applythroughout the application immediately.

See Also
Field Guide to Access Control: Access Control: Technology Overview

Controlling Access to Protected Resources

Some applications check to see if a user is able to undertake aparticular action, but then do not check if access to all resourcesrequired to complete the requested action is allowed. For example, forumsoftware may check to see if a user is allowed to reply to a previousmessage, but then fails to check that the requested message is notwithin a protected or hidden forum or thread. Another example would bean Internet Banking application that checks to see if a user is allowedto transfer money, but does not validate that the “from account” is oneof the user’s accounts.

Some Generic Types of Access Controls:

When thinking of access control, you might first think of the ability tologin to a system or access files or a database. Access can becontrolled, however, at various levels and with respect to a wide rangeof subjects and objects. Some examples include:

  • Network access - the ability to connect to a system or service;
  • At the host - access to operating system functionality;
  • Physical access - at locations housing information assets or physical access to the assets themselves;
  • Restricted functions - operations evaluated as having an elevated risk, such as financial transactions, changes to system configuration, or security administration.

Resource access may refer not only to files and database functionality,but to:

  • applications or APIs;
  • specific application screens or functions;
  • specific data fields;
  • memory;
  • private or protected variables;
  • storage media;
  • transmission media;
  • In short, any object used in processing, storage or transmission of information.

Access Control Models:

Discretionary access controls are based on the identity andneed-to-know of subjects and/or the groups to which they belong. Theyare discretionary in the sense that a subject with certain accesspermissions is capable of passing on that access, directly orindirectly, to other subjects.

Mandatory access controls are based on the sensitivity of theinformation contained in the objects / resources and a formalauthorization. They are mandatory in the sense that they restrainsubjects from setting security attributes on an object and from passingon their access.

From the perspective of end-users of a system, access control should bemandatory whenever possible, as opposed to discretionary. Mandatoryaccess control means that the system establishes and enforces a policyfor user data, and the user does not get to make their own decisions ofwho else in the system can access data. In discretionary access control,the user can make such decisions. Enforcing a conservative mandatoryaccess control policy can help prevent operational security errors,where the end user does not understand the implications of grantingparticular privileges. It usually keeps the system simpler as well.

Mandatory access control is also worth considering at the OS level,where the OS labels data going into an application and enforces anexternally defined access control policy whenever the applicationattempts to access system resources. While such technologies are onlyapplicable in a few environments, they are particularly useful as acompartmentalization mechanism, since — if a particular application getscompromised — a good MAC system will prevent it from doing much damageto other applications running on the same machine.

Role-based access controls (RBAC) are based on the roles played byusers and groups in organizational functions. Roles, alternativelyreferred to as security groups, include collections of subjects that allshare common needs for access. Authorization for access is then providedto the role or group and inherited by members.

Attribute-based access control (ABAC) is a newer paradigm based onproperties of an information exchange that may include identifiedattributes of the requesting entity, the resource requested, or thecontext of the exchange or the requested action. Some examples ofcontextual attributes are things such as:

  • time of day;
  • location;
  • currently evaluated threat level;
  • required hygiene measures implemented on the respective hosts.

In general, in ABAC, a rules engine evaluates the identified attributesto issue an authorization decision.

Examples of Access Controls in Software:

  • Account management;
  • Mapping of user rights to business and process requirements;
  • Mechanisms that enforce policies over information flow;
  • Limits on the number of concurrent sessions;
  • Session lock after a period of inactivity;
  • Session termination after a period of inactivity, total time of use or time of day;
  • Limitations on the number of records returned from a query (data mining);
  • Features enforcing policies over segregation of duties;
  • Segregation and management of privileged user accounts;
  • Implementation of the principle of least privilege for granting access;
  • Requiring VPN (virtual private network) for access;
  • Dynamic reconfiguration of user interfaces based on authorization;
  • Restriction of access after a certain time of day.
  1. OWASP Access Control Cheat Sheet
Access Control | OWASP Foundation (2024)
Top Articles
Easy Stewed Pears Recipe
Gordon Ramsay Gnocchi Recipe - TheFoodXP
Unrestricted Land In Florida
Calf Huts For Sale Craigslist
Latest Posts
Raspberry Mead – Micro Batch Recipe
Updated No-Knead Bread Recipe
Article information

Author: Fr. Dewey Fisher

Last Updated:

Views: 6269

Rating: 4.1 / 5 (42 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Fr. Dewey Fisher

Birthday: 1993-03-26

Address: 917 Hyun Views, Rogahnmouth, KY 91013-8827

Phone: +5938540192553

Job: Administration Developer

Hobby: Embroidery, Horseback riding, Juggling, Urban exploration, Skiing, Cycling, Handball

Introduction: My name is Fr. Dewey Fisher, I am a powerful, open, faithful, combative, spotless, faithful, fair person who loves writing and wants to share my knowledge and understanding with you.