Chapter 17: Protection: Access Matrix, Role-Based Access Control, and MAC

Protection: Access Matrix, Role-Based Access Control, and MAC begins with a formal model of protection, defining objects (resources) and domains (sets of access rights) and explaining how the access matrix represents permissions for subjects interacting with objects. The chapter discusses how this matrix can be implemented through access control lists (ACLs), capability lists, and other mechanisms, weighing their advantages and disadvantages. Domain switching, copy rights, and the concept of the “owner” of an object are explained as ways to manage and delegate authority. The principle of least privilege is emphasized, advocating that processes and users be granted only the access necessary for their tasks. The chapter explores protection in modern systems, including role-based access control (RBAC) and the integration of protection with authentication and auditing. Revocation of access rights and safe sharing strategies are presented alongside hardware and software enforcement techniques. Case studies from UNIX and Windows illustrate how protection mechanisms are implemented in practice, from file permissions and user groups to advanced security descriptors. By the end, readers understand how protection is both a theoretical model and a practical framework for safeguarding operating systems from misuse and compromise.