Access rights are usually granted by a system administrator and assigned by someone in the company who has sufficient knowledge of the tasks of each user. This ensures that employees can do their jobs without hitting any walls. Implementation and updates are usually carried out automatically by the operating system or a security kernel. When a user tries to access data, the system will either grant them access or deny their request. This kind of automated implementation is the best way to prevent tampering.
Decisions about access rights are usually made based on the following factors:
- Users and processes
- Objects: the resources that are being accessed
- Rules and properties: categorizations, labels, and code words
Mandatory Access Control uses a hierarchical approach: Each object in a file system is assigned a security level, based on the sensitivity of the data. Examples of security levels include “confidential” and “top secret”. Users and devices are ranked in the same way. When a user tries to access a resource, the system automatically checks whether or not they are allowed access. Additionally, all users and information are assigned a category, which is also checked when a user requests access. Users must fulfill both criteria – security level and category – in order to access data.