Subject, object, operation and permission
From Erights
(→See also) |
|||
Line 14: | Line 14: | ||
The same notions are defined also [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security Object (access control)] | The same notions are defined also [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security Object (access control)] | ||
- | Wikipedia also contains [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security similar definitions]. | + | Wikipedia also contains [http://en.wikipedia.org/wiki/Subject_(access_control)#Computer_security similar definitions]. We do not encourage you to read that page. |
Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''. | Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in [http://www.amazon.com/Operating-Systems-Implementation-Prentice-Software/dp/0131429388/ref=sr_1_14?ie=UTF8&s=books&qid=1245137182&sr=8-14 The MINIX Book]. They use a term '''domain''' instead of '''subject'''. |
Revision as of 10:58, 19 June 2009
Definition
From a security point of view, we recognize subjects and objects
Subjects are active entities (e.g. UNIX processes) with some behavior. Subjects can designate objects and try to perform some supported operations with them.
What kind of operations can be performed with an object depends on its type.
In general, the set of existing objects and subjects changes over time.
Permissions is a relation that defines which operations on what objects are permitted for particular subjects. One way how to capture permissions is the protection matrix.
See also
The same notions are defined also Object (access control) Wikipedia also contains similar definitions. We do not encourage you to read that page.
Description of similar notions can be found in Section 5.5 (Protection Mechanisms) in The MINIX Book. They use a term domain instead of subject.
People (outside capability community) often confuse the following two terms:
- permissions (defined in this article)
- and authority.
Real security audit cannot be performed without determining the authority of particular subjects.