<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] (or [Privilege Management]) is a process where an [Authoritative Entity] ([Trustor]) who grants a [permission] to a [Trustee]


[{$pagename}] is typically implemented within an [Access Control Service]

[{$pagename}] is the process handling [Authorization] for [Access] to a [Resource]

[{$pagename}] is the process of determining [Authorization] of a [Permission].

[{$pagename}] is most concerned with controlling [access] to a [Protected Resource] and limiting [Risk]

The action of [{$pagename}] may be referred to as [Resource Provisioning]

[{$pagename}] may utilize an [Access Control List] ([ACL])

[{$pagename}] may and probably [SHOULD]) use a [Policy Based Management System]

!! [{$pagename}] Answers
[{$pagename}] decides &quot;Who&quot; ([Authentication] ) can do &quot;What&quot; ([Resource Action]) on which [Resource]es.

Or Which [Identity|Digital Identity] can do what ([Resource Action]) on a [Protected Resource]

!! [{$pagename}] Importance
[{$pagename}] is the __primary reason__ we perform all of the following activities:
* [Data Classification]
* [Identification]
* [Credential Enrollment]
* [Authentication]
[{$pagename}] essentially includes [authentication], [authorization] and [Auditing].

!! [{$pagename}] Process
[{$pagename}]  is defined within a [Access Control Policy] and enforced by a [Policy Enforcement Point] based on the decision from the the [Policy Decision Point] which has acquired information from a [Policy Retrieval Point] and [Policy Information Points]. 

!! [Logical Access Control] 
[Logical Access Control] term originated as a digital counter to [Physical Access Control]

!! [Access Control Models] 
There are many [Access Control Models] for implementation of [{$pagename}]. 

!! [LDAP] [servers|DSA]
For an [LDAP] server, an [{$pagename}] provides a mechanism for restricting who can get access to various kinds of [data] within the [DIT].  

The [{$pagename}] provider may be used to control a number of things, including:
* Whether or not a [DUA] can retrieve an [LDAP Entry] from the [DIT].
* Which [attributes] within the [LDAP Entry] the [DUA] is allowed to retrieve.
* Which values of an [attribute] the [DUA] is allowed to retrieve.
* The ways in which the [DUA] is able to manipulate [DIB] for the directory.

A number of things can be taken into account when making [{$pagename}] decisions, including:
* The [DN] as whom the user is [authenticated].
* The [Authentication Method] by which the client [authenticated] to the [DSA].
* Any [groups] in which that user is a member.
* The contents of the authenticated [LDAP Entry]
* The contents of the [Target Resource] [LDAP Entry].
* The address of the [DUA] system.
* Whether or not the communication between the client and server is secure.
* The time of day and/or day of week of the attempt.

See the documentation for details on the [{$pagename}] syntax used by the [LDAP Server Implementation] vendor.

! [Privilege]
In addition to the [{$pagename}] subsystem, some implementations, [OpenDS] is one we are aware, also provides a [Privilege Management Infrastructure] that can be used to control what a user will be allowed to do. One of the privileges available is the &quot;{{bypass-acl}}&quot; [privilege], which can be used to allow that [DUA] to bypass any restrictions that the [{$pagename}] subsystem would otherwise enforce.

!! [Internet Security Glossary] ([RFC 4949])
[{$pagename}] is Protection of system [resources] against [unauthorized] [access].

2. (I) A process by which use of system resources is regulated according to a security [policy|Access Control Policy] and is permitted only by authorized [entities] (users, programs, processes, or other systems) according to that [policy]. (See: access, access control service, computer  security, [Discretionary Access Control], [Mandatory Access Control], [Role Based Access Control].)

3. (I) /formal model/ Limitations on interactions between subjects and objects in an information system.

4. (O) &quot;The [prevention] of unauthorized use of a resource, including the [prevention] of use of a [resource] in an unauthorized manner.&quot; [I7498-2]

5. (O) /U.S. Government/ A system using physical, electronic, or human controls to [identify] or admit personnel with properly authorized access to a SCIF.

!! [WEB Access Management]
[WEB Access Management] are [{$pagename}] products that are specific to [WEB|WWW] [{$pagename}].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

----
[#1] Loosely adapted from [http://en.wikipedia.org/wiki/Access_control] - 2012-09-30
</pre>