Talk:Lattice-based access control

From Wikipedia, the free encyclopedia

[edit] Contradiction with article on RBAC?

The article on Lattice-based access control currently claims:

LBAC is known as a more specific set of access control restrictions and is more general than Role-Based Access Control.

At the same time, the article on Role-Based Access Control claims:

With the concepts of role hierarchy and constraints, one can control RBAC to create or simulate Lattice-Based Access Control (LBAC). Thus RBAC can be considered a superset of LBAC.

So, which way is it? (Or are RBAC and LBAC equivalent/isomorphic?) — Tobias Bergemann 12:09, 14 June 2007 (UTC)

I think the LBAC article not only contradicts the RBAC article, but also contradicts itself. It says LBAC is both more specific and more general -- which is it? I think it should say "less general than RBAC", which would make it both self-consistent and consistent with the RBAC article. I'm trying to get access to the relevant ACM research paper to compare. If anyone has an ACM Library subscription, could you please read http://portal.acm.org/citation.cfm?id=354876.35487 and then fix the article accordingly?

[edit] Remove LBAC

LBAC is NOT a formal access control model. DD's original paper does not describe it as a model, she uses the word model in the title, but that is all. Her paper is a description of how data labeled at one level should only flow in one direction, and since data flows, covert channels must be addressed. She makes a point to say information flows via covert channels are a big security issue. Her statement is further supported by the TCSEC / Orange book, which talks about covert channel analysis at the B level. A lattice is a directed graph; it describes flow from one state to another and never backward. It is not a true model. It does not differ from RBAC, it should not be compared to RBAC.

--(ISC)2 CISSP Subject Matter Expert (talk) 20:45, 3 April 2008 (UTC)