>> The second A in the AAA model refers to authorization.
>> AAA模型中的第二个A为授权。
All right, the user has gone through identificationto say he is someone and authentication to prove it.
好的,用户已经通过身份验证来证明他是某个人,并通过身份验证来证明这一点。
Now what? Do we let him see anything he wants?
现在怎么办呢?我们让他看他想看的东西吗?
Do we let him do anything he wants?
我们会让他为所欲为吗?
Authorization means that based on the user's credentials, we let him do certain things,we let him see certain things but not others.
授权意味着基于用户的凭证,我们允许他做某些事情,我们允许他看到某些事情,但不允许他看到其他事情。
This is tied into the principle of least privilege, which states users and even devices,programs, and processes should be granted enough permissionsto do their required functions and not a single drop more.
这与最小特权原则有关,最小特权原则指出,用户甚至设备、程序和进程都应该获得足够的权限来执行其所需的功能,而不是再增加一个权限。
Any authorization beyond normal job functions opens the door for either accidentalor malicious violations of confidentiality, integrity, and availability.
任何超出正常作业功能的授权都可能导致机密性、完整性和可用性的意外或恶意违反。
This is specifically why the recommendation is to never use an administrator or a root accounton a system but rather an account with limited privileges.
这就是为什么建议永远不要在系统上使用管理员或根帐户,而应该使用权限有限的帐户。
If your system gets infected with malware, it will run with the privileges of the user.
如果您的系统被恶意软件感染,它将以用户的权限运行。
Your account is granting authorization beyond that principle of least privilege.
您的帐户授予的授权超出了最小特权原则。
Of course, you can escalate your privileges when necessaryor even use temporarily an administrator account,but this way, at least, it's not constant.
当然,您可以在必要时升级您的权限,甚至可以临时使用管理员帐户,但至少在这种方式下,它不是常量。
转载于:https://www.cnblogs.com/sec875/articles/10299688.html
相关资源:Cloud.Computing.Security.Foundations.and.Challenges