Role authorisations

The roles created via RSBAC contain a series of rights that restrict or enable access to other resources (such as files, network ports and devices) for the programmes being executed. Background: In a Linux operating system with RSBAC extension, other models can be loaded in addition to the conventional access rights model and the rights can be combined with each other. Rights are also understood as restrictions. At TightGate-Pro, the Role Compatibility Model (RC model) should be mentioned in particular. The RC model allows a much finer assignment of rights than the standard access rights model under Linux.

Each role has its own set of rights, independent of all other roles. For example, if a user calls up the web browser that starts with the rights of the web browser role, the web browser has the RC rights for exactly the actions that are to be carried out with the web browser. In addition, the rights restrictions from the other security models are retained; the browser of one user cannot jeopardise the browser of another.

Note: Until now, the term "administrator" was usually used to refer to a user account created by the system with the authorisations of a specific role. In the following, roles are written in upper case, while administrator accounts are referred to in lower case. A role describes an authorisation context that a user or administrator account, but also a programme, can have. There is only one administrator account for central roles in TightGate-Pro, which is named in the same way as the role itself.

Programmes are also started in a role context. This serves to encapsulate these programmes and prevents security-relevant "attacks" on each other or on the underlying operating system.

Function
Authorisation
Role name
USER CONFIG MAINT UPDATE BACKUP REVISION TRANSFER SECURITY ROOT ROOT MAINTENANCE
Changing network settings limited to menu functionality - + - - - - - - - -
Reboot the system - + + + - - - - + +
Individual modification of configuration files - - - - - - - - - +
restricted
Assignment of role authorisations - - - - - - - + - -
Shell access + - - - - + - + + +
Graphical user interface + - - - - + - - - -
User administration limited to menu functionality - - + - - - - - - -
Restart of individual services - + + + - - - - + +
Time-limited authorisation of administrator logins via SSH - - + - - - - +(*) - -
Authorisation of logins via SSH over network from outside the intended client network - + - - - - - - +(*) +(*)
Open the remote maintenance access for m-privacy GmbH - - + - - - - - - -
Update of installed programme packages limited via menu functionality - - - + - - - - - -
Access to /home directories +
only own directory
- - - - +
reading only
- +
read only
- +
Save and restore the RSBAC configuration - - - + Restore - - - + - -
Change RSBAC configuration - - - - - - - + - -
Full access via interpreter to images of selected user directories - - - - - + - - - -
Read-only access to system logs - - - - - + - + + +
Write access to system logs - - - - - - - - - -
Network access + - - restricted restricted - - restricted restricted restricted
Read-only access to user data - - - - - + - + - -
Editing the configuration of unprotected system services - - - - - - - - - +
Use of test tools (e.g. netstat) - - - - - - - - + +
Call of "rsbac_menu" - - - - - - - + +
(read only)
+
(read only)

Legend:

(*) Option can only be set manually via the console, not via a menu option.