Group vs Role Management

I'm studying to take the Sec+ within the next few weeks and almost done reading through All-in-one Sec+ (book is ok but a little dull in presentation).

In the section on priviledge management, it starts out talking about user, group, and role management. I understand users / groups, and I understand MAC, DAC, RBAC, etc.

I'm just curious based on the wording in the book - is there a difference in groups and roles? Personally, I don't see much of a difference. Roles are really just groups. I suppose some groups could be formed that are not roles, but to me I see little difference in these two concepts.

Hope to take the exam in a couple weeks or so! I would like to find some practice tests but haven't found any really. There are some flash cards (about 750) online that I found but that's about it.

Find more posts tagged with

Comments

Unforg1ven

In general, groups are usually going to be referenced to a ACL on a system(LDAP services). Use that group to assign like permissions, restrictions etc...

A Role will reference more of the logical model of RBAC. Group those roles together for say each job department.

Keep in mind the RBAC, MAC, and DAC are used for more theoretical understanding of such models. As long as you get the concepts, you're in the clear.

superman859

Here is a question related to ACL I ran across on a flashcard site but got wrong.

Question: Which of the following allows a file to have different security permissions for users that have the same roles or user groups?

A. MAC
B. Role-Based AC
C. DAC
D. Rule-Based AC

I chose D but got it wrong. The correct answer was C. What I don't understand is how we would configure this. If the users have the same roles / groups, how can we give them different access rights using DAC? DAC is typically based on owner, groups, and world - But the only way to give different rights is if one is the owner of the file - otherwise they all fall in the same group so changing group permissions will change it for all of them - similar for world.

af_jimbo

superman859 wrote: »

Here is a question related to ACL I ran across on a flashcard site but got wrong.

Question: Which of the following allows a file to have different security permissions for users that have the same roles or user groups?

A. MAC
B. Role-Based AC
C. DAC
D. Rule-Based AC

I chose D but got it wrong. The correct answer was C. What I don't understand is how we would configure this. If the users have the same roles / groups, how can we give them different access rights using DAC? DAC is typically based on owner, groups, and world - But the only way to give different rights is if one is the owner of the file - otherwise they all fall in the same group so changing group permissions will change it for all of them - similar for world.

Sorry this if my first post here, but if you use Active Directory which is a DAC system, you, as the owner, can take out specific people or add people to the file directly, or groups.

superman859

af_jimbo wrote: »

Sorry this if my first post here, but if you use Active Directory which is a DAC system, you, as the owner, can take out specific people or add people to the file directly, or groups.

Good to know. AD is one of those things I've read about but never used (well, managed...I suppose I've been an end user). Perhaps it's time to play with it myself.

erpadmin

superman859 wrote: »

Good to know. AD is one of those things I've read about but never used (well, managed...I suppose I've been an end user). Perhaps it's time to play with it myself.

AD/and MS client O/Ses used in workgroup settings do use the DAC model.

In a workgroup, if I have a file that I keep in a folder I share, but you don't have access to it, I have to give you that access since I'm the owner. That's the discretionary part....it's at the owner's discretion to give folks access they need.

DAC, RBAC, MAC sound scary, but once you get the concepts of each (which Darril Gibson's Get Certified Get Ahead book did a good job of that) you will be good to go as was said earlier.

Unforg1ven

I personally had little to no questions regarding the 3 models. BUT, you should know it regardless