What is access control matrix?

Okay, here's another test for you:

You are examining an access control matrix for your organization. Which entity corresponds to a row in this matrix?

A. object.
B. subject.
C. capability.
D. access control list.

I say B but won't bother explaining it for now. What say you?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

gespenstern

Not so fast, Cyber Guy!

You'd be surprised if you heard what this test question author thinks about what answer is correct and his/her explanation on this which I plan to uncover a little later. Let's hear other voices first...

nk_vn

This question has tripped me twice until now. Here is how I understand the Access Control Matrix in the context of this question:

It is a two-dimensional table. It is supposed to represent a list of subjects and their respective rights to objects. It is supposed to be simple - subjects as rows, objects as columns, intersection represents the respective right. Unfortunately it is not that simple. It would be, if it is supposed to represent one single capability (read, for example). Since multiple rights need to be represented for every single subject, actual single rows end up being capabilities for the particular subject of this group of rows.

Something like this:

As you can see, every row ends up being a capability. Subjects are represented by groups of rows (capabilities).

ACMatrix.png

gespenstern

nk_vn wrote: »

As you can see, every row ends up being a capability. Subjects are represented by groups of rows (capabilities).

Thank you very much for your insight. I didn't think about it that way, so I admit, your explanation fits well and is probably the correct answer to this question.

However, such table structure is something new to me and when I was thinking on this question I had something in my mind very similar to what we can find in wiki article "access control matrix":

https://en.wikipedia.org/wiki/Access_Control_Matrix

Still, I believe it can be argued that, even in a type of ACM table that we can see in wiki article, it still holds true and entire row should be perceived as capability. And it really is, because a subject combined with all of its rights to all objects in a system is a capability.

I admit that it is a VERY tricky question and the catch here is wording, because typically we refer to rows in almost any table that we deal with on everyday basis as to what's written in table's first column. For example:

Screen-Shot-2014-02-27-at-14.44.03-600x411.png

Screen-Shot-2014-02-27-at-14.44.03-600x411.png

What would average Joe say about rows in this table? In majority of cases majority of people would refer to a row here as an operating system.

Unfortunately, it looks like in access control matrix table cases wording doesn't exactly follow common sense and defines rows differently and any CISSP wannabe should be aware of this.

I bet that A LOT of people do this question wrong, just like I did.

Thanks again, nk_vn!