Skip main navigation

£199.99 £139.99 for one year of Unlimited learning. Offer ends on 28 February 2023 at 23:59 (UTC). T&Cs apply

Find out more

Types of Permissions: Data Visibility and Inherited Permissions

In this video, you will learn about the different types of permissions, specifically data visibility and inherited permissions.
So just talking about some of the different types of permissions that we have that we may want to secure, we have data visibility. And this is different to accessibility. With data visibility, we are talking here about whether or not users can see information. So this sort of references data hiding. What we can do is hide files and folders from users so that they can’t even see them. Not only can they not read the documents, they do not know that they exist. We can also extend this to application interfaces. And we can start to hide elements of the application interface, depending on the level of privilege that the successfully authenticated user has.
So if the user has low levels of privilege, they actually don’t see some of the functions appear within their interface. So not only can they not use them, not only are they greyed out, they actually don’t even see them appear. What we are talking about is that more granular level of access. And typically we think about things like read, write, and the ability to list or enumerate a collection of objects. Actually, the granular permissions go into a much, much deeper array of elements. Within Active Directory or file permissions, you will see there are many, many different options. It’s not just read, write, full control or read, write, and list.
And we need to consider how we manage these across an organization. We’ll look in a few slides’ time at the different approaches we have to that. So with data visibility we can use data hiding and encapsulation programmatically to actually hide data within an application to individual processes. So here what we can take is a collection of data. Typically, this relates to something like object-orientated programming, where we’re taking data and we’re isolating it within particular functions, within particular objects. And this paradigm can extend out into the different processes that run within an application. So here, we’re saying that individual processes may not have all of the information that the wider application has – that we contain sensitive information within specific processes.
So this is called encapsulation. We also, within most modern operating systems, have much improved memory isolation. In the 1980s, with 8-bit computing, you were able to examine other areas of memory. You were able to read any part of a very flat memory structure. Now, you could use commands like PEEK or POKE to read (using the PEEK command) and then to change the memory areas (using the POKE command). Now, if there’s sensitive information stored within these memory areas, this becomes problematic for us. Operating systems now isolate memory. And, again, individual processes may have no access to the information stored by other processes. This is a very strong paradigm.
Operating systems also serve to randomize the utilization of the memory in modern operating systems so that the storage of things like password information is not in a predictable part of memory – that it changes the part of memory that’s used. Inherited permissions are used by some forms of access control. So this is typically used through things like access control lists. If you see file permissions or, in Active Directory, the use of security groups, you can start to see people inheriting permissions to files, to databases. And this can be a very powerful way of managing large groups of users, but also– so this grants us flexibility to manage, easily grant and revoke permissions to groups of identities at a time.
And so we can cascade these through inheritance. So if you are a part of domain users, then you could be added to the telephone services list or to a particular application list. What we do want to make sure though is that this is managed carefully. Because with inherited permissions, it is very simple to start to see privilege creep through people inheriting incorrect or elevated privileges. And what’s interesting is if you don’t have enough privileges to perform your job, day-to-day in an office, you will report this to the service desk. If you have too many privileges, you are unlikely to report it, for two reasons. Firstly, you may not know that you have too many privileges until something goes wrong.
And you see this with things like ransomware, where people are suddenly able to encrypt lots of sensitive data across a network. At that point, you realize that that individual user had access to too much. We also may not receive a report because somebody realizes that they have too many permissions, but actually they don’t want to report that. They like having those excessive permissions. So this can be a very difficult thing to manage well. There are tools though, like the resultant set of permissions tools, that allow us to examine the ultimate outcome. If we have nested memberships of groups, it can be difficult to establish what the ultimate outcome for an individual user is.
And so there are tools that help us establish that. Very complex, and, although this is conceptually simple, this is something we need to manage very well to ensure ongoing security.

In this video, you will learn about the different types of permissions, specifically data visibility and inherited permissions.

Data visibility refers to whether certain files, information or functionality is visible or invisible to specific users. On the other hand, inherited permissions refer to types of permissions that are predefined by a higher order set of permissions.

Reflect and share: How do you approach data visibility and inherited permissions? What are some challenges that you come across? Share with your fellow learners.

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education