Implementing and Managing Authorization Mechanisms
Start course

This course is the final module of Domain 5 of the CISSP, covering Identity and Access Management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Identity as a Service
  • Integrating 3rd party identity services
  • Implementing and managing authorization mechanisms
  • Preventing or mitigating access control attacks
  • Managing the Identity and access provisioning lifecycle

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


We're moving into section seven where we're going to look at the implementation and management authorization mechanisms. So the access control function that you see here, outlines three essential qualities and entities. First we have functions, we have actors and we have controls. And for this, it gives us these three things, the who, the actors, the what, the capability or functions and the where or from where, the geography of locations.

So let we look at the capabilities and constraints. Each of these functions constituting the what is performed by an actor, constituting the who, originating from a particular location. And the from where being either physical or logical. So in our table, we have our qualities, the functions that they can perform, the access, the process and the store. And then across the top, we have the basic qualities, create, store, use, share, archive and destroy, representing the spectrum of capabilities that are available. The Xs in the boxes are arbitrary ones, just to illustrate the combination of things.

The controls act as mechanisms to restrict the list of possible actions down to the allowed or permitted actions. To determine the necessary controls to be deployed, first we have to define the functions of the data, the locations of the data and the actors who will act upon the data. And so in building these tables or tying them together, we bring the who, the what and the where attributes together and integrate them into the phases of the data lifecycle. There you see down in the lower left of the box, containing the table, with the actors, the functions and the locations. So the proper and compliance provisioning can take place, to ensure that the access when it's granted, aligns with the policy and the functional requirements.

Now in every system, we have what's called a security reference monitor. This is a virtual or abstract machine that mediates and controls all subject access attempts to all objects. And every system, whether virtual or physical, has one of these. Accompanying the reference monitor, is the security kernel, which contains the rules set inside the OS kernel, that embodies the system security policy and enforces the actions mediated by the reference monitor. The three main requirements of the security kernel and the reference monitor include these. The security kernel must provide isolation for the processes carrying out the reference monitor concept and must be tamper proof. The reference monitor itself must be invoked for each and every access attempt and must be impossible to circumvent. The reference monitor, as a program, must be small enough to be tested and verified in a complete and comprehensive manner. And when I say complete and comprehensive, I mean every possible scenario, every possible pathway, by which a subject can access an object and manipulate it in any way, must be subject to the intervention and mediation of the reference monitor.

Here you have a graphical representation of the way that the reference monitor is positioned between subjects and objects. The reference monitor virtual machine which embodies the policy acts as the mediator between subjects and objects. Below you see the reference monitor accessing the security kernel. When a subject accesses or attempts to access an object, the reference monitor intercepts the subject's attempt. It then accesses the security kernel rules database, to determine whether or not that subject is permitted to access that object in that particular mode. Returning a positive answer, the reference monitor allows the subject to proceed with it's attempted action. If it's not allowed then it prevents the act of the subject upon the object. And in all cases, the subject's attempt, whether successful or not, is then written out to an audit file, which provides the accountability function.

Now the models in which all of these accesses are going to be made, are going to be these. Beginning with the discretionary access control or DAC. This is one that is very, very commonly implemented, where it places the controls in the hands of the data owner, to allow or deny access by anyone else requesting it. It is the data owner that determines who has access to the data and what privileges they will have in doing so. Now the discretionary controls represent a very early form of access control. They also represent a very direct and very administratively simple form of access control. But they represent one that is very tedious, because it means that each and every subject, object interaction has to be programmed by the owner of the given resource individually. 

We have a role-based access control system. Now the access is based on policy defined rules that determine access to be granted to the subject. We commonly find these in many of our network machines, such as switches, routers, and firewalls. The rules, created or authorized by system owners, or by organization policy, specify the privileges granted to the users when the specific condition of the rule is met. One operating system variant on the idea of role-based access control, is the mandatory access control system called MAC. This requires the system to manage access controls in accordance with the organization's security policy. This has typically been used in classified type environments, for systems and data that are highly sensitive. Now it's based on cooperative interaction between the system and the information owner. Some conditions that apply to mandatory access control, are that there is no longer any discreet information ownership assigned to any individual. By definition, the system itself owns everything. And all users must have a clearance equated to the level of the system before they're even allowed to be authorized access to it, let alone the resources that it houses. And it means that every change made, in a mandatory access control system becomes global in its effect.

One that has gained much popularity in recent years, is the role-based access control system. This is a very common form of what is called non-discretionary access control. It bases its control on authorizations associated with roles or functions that can be assigned to the user. Determination of what roles have access to as a resource is controlled by the resource owner, which of course in its turn is controlled by policy. 

Now role-based access control can come in a variety of forms. Starting with non-role based access control. The access control here is assigned individually to the person in the same manner as a discretionary access control. The permissions are therefore assigned directly to the subject and implemented on a one by one basis. Now moving up to the limited role-based access control, it allows user access and assigns roles via authorized apps and assigned role within the app. There in the diagram, you see Bob, our subject, accessing applications one, two or three, and given his access to application one, by doing that, he is therefore assigned role A within application one.

In like manner, Bob's accessing application two, assigns him to role B and these two, assigning him roles, will coexist alongside application three which assigns him no role, but puts rules on him directly based on his access profile. Moving up one step further, hybrid role-based access control combines elements of limited RBAC and full RBAC. The picture you see, Bob logging into role A and through his logging into that role, is then able to access application one and two. When he logs into application three, application three's successful login puts him in role B.

Now moving up to full role-based access control, enables access to apps as permitted by the role. The reverse of the limited role-based access control. So here we have full role-based access control and Bob logging in, he is given role A to begin with and through role A, he is able to access all the resources to which he is assigned privileges.

Now the benefits of a role-based access control system means that it is easily modeled after the organizational or functional structure of an organization. Now be sure to make the distinction between functional structure as opposed to job titles. Job titles do not necessarily reflect the functions that a person working inside a system will necessarily need to execute to be successful in the role. So job title and functional roles are not necessarily equivalent. This can simplify accounting for the movement of personnel around an organization and adjusting their information access accordingly, as they change functional roles.

Now in general, as I mentioned, role-based access control is a form of non-discretionary access control. In general, non-discretionary access control is based on the assignment of permissions to read, write and execute files on a system. And it requires the administrator to define and tightly control the access rules for files in the system. In the case of role-based access control, non-discretionary means once the individual person has signed into a role, it is the role that then controls everything that that subject is able to access. And there is no longer any form of discretion.

We have other types of nondiscretionary access control. We have originator-controlled, which assigns various parameters to control access and usage over the information's lifecycle. We have digital rights management, sometimes called IRM or information rights management. And this is used to control access to intellectual properties and portability among platforms. This relies on cryptographic features to preserve authenticity. Something along the lines of crypto lock, cryptocurrency or blockchain encryption. We have usage-controlled, which is time-based controls managing quantity and frequency of object access. Now the recommendation that I make to you on this particular slide is, be sure you're familiar with the distinct definitions of these three types of non-discretionary access control, to avoid confusion on the questions on the exam.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.