| Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains).
Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority and may not be changed at the discretion of ordinary application users. Data protection requirements may result in a non-discretionary access control policy being specified as part of the application design.
Non-discretionary access controls are employed at the application level to restrict and control access to application data thereby providing increased information security for the organization.
Policy rule sets would be developed to establish that each user receives only the information to which the user is authorized. The policy rule set will specify that each application user account will be assigned attributes including information such as position, nationality, age, project, time of data, etc.
Applications must enforce these non-discretionary access control policies over application users and resources. |
