- It shows a logical picture of security services and their interactions during a user logging into a system.
- Authorization (access control) should be done after authentication. Authentication service establishes the correct user identity.
- Authentication and access control services should be audited to provide better security.
- It is highly desirable to develop access control mechanisms that are largely independent of the policy for which they could be used.
- The access matrix provides a conceptual model that specifies the rights (privileges) that each subject (user or program) for each object.
- An access matrix is usually implemented as a ACL (access control list), capabilities or authorization relations.
- There are three types of access control policies: mandatory, discretionary and role-based.
Sandhu et. al, Access Control: Principles and Practice, IEEE Communications, 1994