Every access request involves two entities: a subject that is making the request and an object that is the target of the request. In this video, Mike Chapple explains the subject/object model of access control systems.
- [Mike] When security professionals…discuss access control systems,…we use some language…that might be a little confusing to the newcomer.…Let's talk a little bit about the language that we use…to discuss authorization,…the subject/object model.…In an access request, the subject is the person, device,…or application that is requesting access to a resource.…We usually think of subjects as users,…such as when a user requests access to a file…stored on a server…or attempts to log into a web-based system,…but users aren't the only type of subject.…
Devices may also be the subject…of an access control request.…For example, a digital sign in an office lobby…might need to access the wireless network…and might be authorized that access as a device.…Applications may also be subjects.…For example, an inventory tracking system…may need to access information stored in a database.…In that case, the inventory tracking application…is making a request,…so the application is the subject of the request.…
The object of an access control request…
To join one of Mike's free study groups for access to bonus tips and practice questions, visit certmike.com.
- Identity and access management
- Using access cards and biometrics
- Multifactor authentication
- Password authentication protocols
- Device authentication
- Identity management life cycle
- Access control lists
Skill Level Intermediate
Q: This course was updated on 05/18/2018. What changed?
A: New videos were added that cover subject/object model. In addition, the following topics were updated: registration and identity proofing, SSO and federation, and advanced authorization concepts.