Authorization

Besides allowing or disallowing access and besides enforcing the principle of least privilege, authorization also consists of tracking user access, both for the detection of authorization issues and to prevent repudiation of a user's past actions. (How did we define non-repudiation?)

One way to keep track of authorization given to a user is by recording granted/denied authorizations in a log file. See this CISC 3320 slide with an example of a log file.

Back to slide 55, we can define the conceptual function 'access' as follows:

access(Subject, Object, Mode of Access) = yes/no

That is, the access function will return one of two possible values: yes or no depending on the Subject (a user or program that can perform an action), and Object (an entity, e.g., a file, that can be accessed/modified) and Mode of Access (means by which the Subject requests to access the Object.)