Skip to end of banner
Go to start of banner

Access Granularity (Dictionary Entry)

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Contexts

IAM, Information Security

Term

Access Granularity

Alternative Forms

Definitions

Related Terms

  • Information Asset

  • Information Asset Granularity

Quotes

Degree of Granularity – Typically, more simplistic structures such as ACLs or IBAC may be adequate when coarse access decisions are needed, such as the ability to gain access to an enterprise based on membership in an organization. On the other hand, implementing fine-grained controls may be more suitable for granting access to information, where many factors may have to be considered to implement formal release policies established for each information object requested. Here an ABAC or PBAC structure may be more suitable.

(Farroha and Farroha, 2012, p. 3)

Access granularity defines the storage unit to control data access – e.g., at the tuple, tables or databases levels.

(Sasaoka and Medeiros, 2006, p. 111)

6.1.3 The degree to which an access control system supports the concept of least privilege

In addition to an access control mechanism’s reference mediation function, there are two other basic functions: a function to create subjects and associate these subjects with their users, and a function to associate a subject with a subset of attributes that are assigned to its user. Regardless of its implementation and the type of attributes that are deployed, reference mediation of an access control system constrains the subject and user’s requests to the capabilities that are associated with a subject’s attributes. Although a number of access control mechanisms associate a subject with each and every user attribute, in order for an access control mechanism to support the principle of least privilege, constraints must be placed on the attributes that are associated with a subject to further reduce the permissible capabilities. The organization specific least- privilege policy is described by specifying the rules composed by the basic access control elements: subjects, operations, and objects. The access control systems provide various specifying methods, which achieve different degrees of granularity, flexibility, and scope, and different groupings of the controlled resources for the least-privilege policies.

(NIST IR 7316, 2006, p. 37)

An operation represents a unit of control that can be referenced by an individual role that is subject to regulatory constraints within the RBAC framework. It is important to note the difference between a simple mode of access and an operation. An operation can be used to capture security-relevant details or constraints that cannot be determined by a simple mode of access[2]. These details can be in terms of both method and granularity of access.

(Ferraiolo, 1995, p. 3)

Bibliography

See Also

  • No labels

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.