1 00:00:06,570 --> 00:00:07,690 - [Instructor] Once authenticated, 2 00:00:07,690 --> 00:00:09,950 a subject must be authorized. 3 00:00:09,950 --> 00:00:11,610 Authorization is the process 4 00:00:11,610 --> 00:00:14,360 of assigning authenticated subject's permission 5 00:00:14,360 --> 00:00:16,660 to carry out a specific operation. 6 00:00:16,660 --> 00:00:18,450 The authorization model 7 00:00:18,450 --> 00:00:21,760 defines how access rates and permissions are granted. 8 00:00:21,760 --> 00:00:25,030 The three primary authorization models are 9 00:00:25,030 --> 00:00:29,420 object capability, security labels, and ACLS. 10 00:00:29,420 --> 00:00:32,349 Object capability is used programmatically 11 00:00:32,349 --> 00:00:35,330 and is based on a combination 12 00:00:35,330 --> 00:00:40,330 of unfordable reference and operational message. 13 00:00:40,710 --> 00:00:44,090 Security labels are mandatory access controls 14 00:00:44,090 --> 00:00:48,490 embedded in object and subject properties. 15 00:00:48,490 --> 00:00:50,249 Examples of security labels, 16 00:00:50,249 --> 00:00:52,140 based on its classification, 17 00:00:52,140 --> 00:00:55,720 are confidential, secret, and top secret. 18 00:00:55,720 --> 00:00:58,900 Access control lists, or ACLS, are used 19 00:00:58,900 --> 00:01:00,905 to determine access based on 20 00:01:00,905 --> 00:01:03,810 some combination of specific criteria, 21 00:01:03,810 --> 00:01:06,670 such as a user ID, group membership, 22 00:01:06,670 --> 00:01:10,111 classification, location, address, and date. 23 00:01:10,111 --> 00:01:12,280 Additionally, when granting access, 24 00:01:12,280 --> 00:01:14,650 the authorization process would check 25 00:01:14,650 --> 00:01:18,910 the permissions associated with the subject or object pair, 26 00:01:18,910 --> 00:01:22,710 so that the correct access right is provided. 27 00:01:22,710 --> 00:01:26,040 The object owner and management usually decide 28 00:01:26,040 --> 00:01:28,880 or give input on the permission 29 00:01:28,880 --> 00:01:30,670 and authorization policy 30 00:01:30,670 --> 00:01:33,550 that governs the authorization process. 31 00:01:33,550 --> 00:01:36,200 The authorization policy and rule 32 00:01:36,200 --> 00:01:39,910 should take various attributes into consideration, 33 00:01:39,910 --> 00:01:42,153 such as the identity of the subject, 34 00:01:42,153 --> 00:01:46,420 the location from where the subject is requesting access, 35 00:01:46,420 --> 00:01:49,060 the subject's role within the organization, 36 00:01:49,060 --> 00:01:50,760 and so on. 37 00:01:50,760 --> 00:01:52,380 Access control models, 38 00:01:52,380 --> 00:01:56,410 which are described in more detail later in this lesson, 39 00:01:56,410 --> 00:01:58,100 provide the framework 40 00:01:58,100 --> 00:02:01,088 for authorization policy implementation. 41 00:02:01,088 --> 00:02:05,610 An authorization policy should implement two concepts. 42 00:02:05,610 --> 00:02:07,160 Implicit deny, 43 00:02:07,160 --> 00:02:10,690 if no rule is specified for the transaction 44 00:02:10,690 --> 00:02:12,183 of the subject object, 45 00:02:12,183 --> 00:02:16,240 the authorization policy should deny the transaction. 46 00:02:16,240 --> 00:02:18,050 And need-to-know, 47 00:02:18,050 --> 00:02:21,090 where a subject should be granted access to an object 48 00:02:21,090 --> 00:02:22,944 only if the access is needed 49 00:02:22,944 --> 00:02:25,343 to carry out the job of the subject. 50 00:02:25,343 --> 00:02:28,860 You learned about the least privileged principle 51 00:02:28,860 --> 00:02:32,313 and need-to-know concepts earlier in this lesson.