Subjects in Access Control
Introduction
In Access Control, a subject is any active entity that requests access to a resource (object). Understanding subjects is essential because every access decision starts with a subject trying to perform an action.
π Subject = Who is requesting access
Subjects work together with:
- Objects β What is being accessed (files, database, system)
- Access Rights β What action is allowed (read, write, execute)
Meaning of Subject
A subject is an active entity (user or process) that:
- Initiates a request
- Performs actions on system resources
- Operates on behalf of a user or system
π Subjects are always βactiveβ components in a system.
Types of Subjects in Access Control
1. Human Users
Description
Real individuals who interact with the system.
Examples
- Students
- Employees
- System administrators
Characteristics
- Identified using user IDs
- Authenticated via passwords, biometrics, etc.
2. Processes
Description
Programs or applications running on behalf of a user.
Examples
- Web browser
- Database management system
- Background services
π A process inherits permissions of the user who started it.
3. Devices
Description
Hardware entities that request access to network or system resources.
Examples
- Computers
- Smartphones
- IoT devices
Use Case
Device authentication in network security
4. Programs / Applications
Description
Software entities that perform tasks and access data.
Examples
- ERP software
- Email applications
- Banking apps
π Programs act as subjects when accessing system resources.
5. System-Level Subjects
Description
Internal system components with special privileges.
Examples
- Operating system kernel
- System services (daemon processes)
π These usually have higher privileges.
Subjects vs Objects
| Feature | Subject | Object |
|---|---|---|
| Nature | Active | Passive |
| Role | Requests access | Resource being accessed |
| Example | User, Process | File, Database |
π Subjects act on objects.
Access Rights Associated with Subjects
Subjects can perform different actions on objects:
- Read (R) β View data
- Write (W) β Modify data
- Execute (X) β Run programs
- Delete (D) β Remove data
Subject Attributes
Each subject has attributes that define access control decisions:
- User ID
- Role (Admin, User, Guest)
- Clearance level
- Group membership
- Authentication status
π Used in Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).
Role of Subjects in Access Control Models
1. DAC (Discretionary Access Control)
- Owner decides access for subjects
2. MAC (Mandatory Access Control)
- Access based on security labels (clearance level)
3. RBAC (Role-Based Access Control)
- Subjects assigned roles (e.g., Manager, Student)
Subjects and Security Principles
- Least Privilege β Subjects get minimum access
- Need-to-Know β Subjects access only required data
- Accountability β Actions traced to subjects
Subjects and CIA Triad
- Confidentiality β Only authorized subjects access data
- Integrity β Subjects cannot modify data illegally
- Availability β Authorized subjects get timely access
Real-Life Example
In a college system:
- Subject β Student
- Object β Result database
- Access β Read only
In a banking system:
- Subject β Teller
- Object β Customer account
- Access β Read/Write
Subjects in Cyber Law (India)
Under IT Act, 2000:
- Unauthorized subject access β Section 43
- Identity misuse β Section 66
π Proper subject identification and authentication are legally important.
Advantages of Proper Subject Management
- Prevents unauthorized access
- Enhances accountability
- Improves system security
- Supports audit and compliance
Conclusion
Subjects are the core entities in access control systems, as they initiate all access requests. Proper identification, authentication, and authorization of subjects ensure secure interaction with system resources. Understanding subjects is essential for implementing effective access control models and maintaining information security.